Archive | Site Status RSS for this section

SourceForge Forced Password Change

On 2014-05-22, we triggered a forced password change for SourceForge users.

  • We have adopted a longer minimum password length standard.
  • There has been a change in our authentication layer, moving to a more modern Open Source platform.
  • Password hashing algorithm and key length has changed.
  • Forced password reset has occurred sitewide to ensure all stored password hashes meet these stronger standards.
  • All site users have been sent email asking for password change.
  • There has been no known breach or compromise of our systems.

SourceForge.net Password Reset Required

Greetings,

To make sure we’re following current best practices for security, we’ve made some changes to how we’re storing user passwords. As a result, the next time you go to login to your SourceForge.net account, you will be prompted to change your password. Once this is done, your password will be stored more securely. We recommend that you do this at your earliest convenience by visiting the SourceForge website and logging in.

And, as always, be vigilant about password security. Use a secure password, never include your password in an email, and don’t click on links for unsolicited password resets.

If you have any concerns about this, please contact SourceForge support at sfnet_ops@slashdotmedia.com

Best regards,
SourceForge Team

SourceForge response to Heartbleed

Hello,

A vulnerability is something susceptible to attack (regardless of whether attack actually occurs using that weakness), and a compromise is something that has been successfully attacked.

Sites and services across the internet have been impacted by a recent vulnerability in OpenSSL, CVE-2014-0160, known as “Heartbleed”. More information on this vulnerability may be found at http://heartbleed.com

Upon disclosure of this vulnerability, SourceForge’s operations team expeditiously reviewed all of our services and confirmed that the only vulnerable service was SourceForge’s Subversion over HTTPS on Allura (svn.code.sourceforge.net).

We are aware of no compromise of our systems. On Tuesday, vulnerable systems were updated to new versions of OpenSSL, and the related SSL certificates were revoked and re-issued with new private keys.

A mailing will be sent to those users who accessed the vulnerable service (svn.code.sourceforge.net) during the window of vulnerability. While we are aware of no compromise of data resulting from this vulnerability, to further reduce risk we are asking certain users to change their SourceForge password.

To change your SourceForge password:

  1. Go to https://sourceforge.net/account/
  2. Login with your username and current password
  3. Click the “Change Password” link on the resulting page
  4. Enter your current and new password in to the form and submit

Passwords may also be reset using the account recovery facility at https://sourceforge.net/account/registration/recover.php

If you do not already make use of a secure password manager, such as KeePass, Password Safe, Mac OS X Keyring, LastPass, etc. you may wish to begin using such a tool, which makes it easy to manage unique and long passwords for every site you access.

Questions and concerns may be directed to the SourceForge.net support team at sfnet_ops@slashdotmedia.com

Thank you,

SourceForge.net Support

Allura Platform Instability

Greetings,

We’re currently experiencing poor performance on the Allura platform which powers many of the tools on the SourceForge site. Our teams are working to get this fixed and back to normal as soon as they can. Until then, any pages served by the Allura platform are generally timing out and will fail to load. Some pages will occasionally load, but currently, they are mostly failing. Among others, the affected tools include Tickets, Forums, Wiki, Blog, and Code browsers.

Additionally, permission checks for writes to code repositories also interface with the Allura platform, so this may also cause code writes to intermittently fail with permission errors. Operations that don’t require a permission check (ie. read-only operations) are unaffected.

The File Release System is unaffected by this issue.

UPDATE: Project Icons and Screenshots are currently disabled as we continue to work on this issue.

UPDATE 2: Stability is greatly improved, however, our teams continue to work on this issue to make sure the root cause is addressed so it doesn’t recur. Project Icons and screenshots are also re-enabled.

UPDATE 3: We are now in a normal operating state, this incident is considered resolved.

Regards,
Chris Tsai, SourceForge.net Support

Authentication to code repositories down

UPDATE: This is now fixed

There are known issues with authentication to code repositories on SourceForge at this time. This is affecting all code repositories types, and all access protocols. Our team is investigating and working to fix this as soon as possible.

Other services such as site login, sftp, or the shell service are not affected.

Best Regards,
Chris Tsai, SourceForge.net Support