Greetings,
The mailing list archive view for SourceForge projects are currently in read-only mode for maintenance. Message sent to the mailing list continue to work, but until the maintenance is complete, the archives will not update. We expect this to complete sometime tomorrow.
Best Regards,
Chris Tsai, SourceForge.net Support
Disclaimer: despite the date, this is *not* a joke.
Over the weekend, we started noticing a number of projects had a message added to their Project web pages that stated:
“This is a project whose homepage has been hacked with the SourceForge backdoor by a 1337 hacker…”
Upon investigating we found that the affected projects had configuration files (which contained database usernames and passwords) that were world readable. In other words, anyone looking in the right place could get these usernames and passwords and have direct access to the database.
Setting proper permissions
To protect these passwords, we need to make sure that the permissions are set correctly. There’s already a ton of information around the web on basic UNIX style permissions, so in short, the web server uses the “group” permission, so that needs to have read permissions for the configuration file (g+r), but nobody else should (0-r). Generally speaking, for most config files, value you want is “rw-r—–” (or 640).
For further reading, see our Project web filesystem permissions doc.
Filezilla
You can change the filesystem permissions in a variety of ways. Using the graphical sftp client FileZilla for example, you can navigate to the file, right click it and select “File Permissions”.
Shell or sftp command line
Or you can use “chmod” over command line sftp or the Shell Service:
sftp> chmod 640 /home/project-web/strawhat/htdocs/myawesomeapp/passwords.php
Changing mode on /home/project-web/strawhat/htdocs/myawesomeapp/passwords.php
sftp>
Resetting DB passwords
Once the file permissions are set correctly, you should reset your project database passwords and update your config files accordingly.
To update your passwords on the New SourceForge (aka Allura) system, go to Admin -> Tools, on MySQL card, “Admin MySQL Databases”
On the Classic SourceForge system, go to Project Admin -> Feature Settings, in “Project Database (MySQL)” row, select “Manage”
Other ways to protect yourself
If you need further help with this, please let us know.
Greetings,
Apologies for the late notice. We are performing backend upgrades to the site shortly, and parts of the set will be set to read-only. We anticipate that this will take approximately 2 hours, and during this time, new user registrations, new login sessions will be not be possible. Additionally, various aspects of the classic SourceForge system will be read-only as well. Thank you for bearing with us as we complete this upgrade.
The front page, directory, projects, and download flow will remain online.
Best Regards,
Chris Tsai, SourceForge.net Support
Greetings,
We are expecting some previously unplanned downtime for the Project web and VHOST services to commence shortly. We are working to keep this downtime to as short a duration as possible.
Best Regards,
Chris Tsai, SourceForge.net Support
Greetings,
Since the CVS downtime yesterday, we’ve been experiencing poor performance for CVS. As such, we’ve disabled ViewVC and anonymous pserver access for the time being to prioritize developer read/write access while we address the performance issue. We do not have an estimate for the completion of this yet, but we will keep this post updated as this develops.
UPDATE: ViewVC is now available again, however, the data in ViewVC is still from before the previous downtime. Anonymous pserver is still offline. We’re working to get both these caught up with the latest updates as soon as we can.
UPDATE 2: As of 2012-12-06, anonymous pserver is back online. Note however that both anonymous access methods (ViewVC and pserver) will now lag behind developer changes. Under normal operation, they should be no more than one (1) hour behind. Developer access will always be current.
Best Regards,
Chris Tsai, SourceForge.net Support
FileBot - The ultimate TV and Movie Renamer / Subtitle Downloader.