Update: SourceForge.net Attack

As we mentioned yesterday, work is continuing on SCM data validation, and with project web and interactive shell services.

Project Files and Mirrors Update

File Release services came online Tuesday, including the ability to upload new files for download. Data validation of our mirror network has continued and we’re happy to announce that 18 mirrors have been validated, and are synced with new release data. We’re not quite back to full capacity, but we’ll have no trouble handling normal load.

SF.net Beta SCM update

The beta SCM data is hosted on an updated platform, and none of these servers were compromised during this attack. The data, however, was accessible to the attacker. We’ve completed the SCM data validation for the SourceForge Beta and don’t believe there was any tampering. We will be publishing the validation results tomorrow at the same time we cutover this service to new systems with improved security controls.

Non CVS SCM data

We are still working on validating SVN, Hg, Bzr, and Git data on the main sourceforge.net SCM servers. These servers weren’t compromised, but the SCM data was accessible to the attacker. At this time we don’t have any evidence of tampering with SCM data. We will publish the full results of our validation work when the work is complete.

We have also redesigned the platform for these services, and will be pushing out updated configurations and improved security controls. We expect the updates to this service and the results of this validation work to ship later this week. ViewVC (web-based SCM access) will be brought online as we ship the updated SCM servers.

CVS data

CVS servers were compromised, so we are taking extra time with this data. CVS requires the significant validation effort, and its configuration made it harder to get the data we needed to start validation. The good news is that comparisons are running now against backup data.

We still expect this to be one of the last services restored, but are committed to making that happen as quickly as possible. ViewVC (web-based SCM access) for CVS will be brought online as we ship the updated SCM servers.

Project Web

Preparations to roll-out our updated project web offering are also in-progress. Our updated project web service has already been deployed to some projects. This service was not compromised during the attack.

As a precautionary measure, we’ve reloaded our new project web servers and have applied further security controls. We’ll be rolling this service out to all projects starting next week, starting with projects A through G (by UNIX name).

Interactive Shell services will be brought online with this new project web launch and should be available again as soon as individual projects are migrated over to the new system. In the mean time, project web content may be managed via SCP, SFTP or rsync over SSH.

We appreciate your support and will continue our efforts over the coming days!

0 comments