Re: FreeBSD wiki offline for a bit

Sun, 06 Jan 2013 12:46:46 -0800

On Sun, 06 Jan 2013 21:40:50 +0100, Simon L. B. Nielsen <si...@freebsd.org> wrote: 


Hey,
tl;dr Wiki is back, and everybody with account need to reset their password. 

On 4 January 2013 22:38, Simon L. B. Nielsen <si...@freebsd.org> wrote:

Due to a security issue in the moinmoin wiki software, the FreeBSD
wiki will be offline for a bit. I do not yet know if the issue
actually has been exploited in the FreeBSD wiki (haven't had the time
yet to examine it), but I took the wiki down just in case.

Note that even if the software was compromised, it was considered
untrusted from the start and as such heavily sandboxed (including
jailed) to keep it away from any sensitive FreeBSD.org parts, so there
is absolutely no reason to believe a compromise would go any further
than the wiki itself.

I hope to have the wiki back within 24 hours, assuming not too much
gets in the way.

For further reference see: http://moinmo.in/SecurityFixes and
http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 .
PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise. 

The wiki is back now.

Looking at logs it there were people attempting to exploit this back
in July but I do not think they actually succeeded. It seemed to
mostly automated bot and not a target attempt.

The wiki has been reinstalled from scratch and users and pages were
copied. As I did a very selective copy it's entirely possible I made
the wiki unhappy, so let me know if you see issues.

Just to be extra safe I have reset all password, so everybody will
need need to use the standard account recovery process to set a new
password.

On a side note we have ~23000 user accounts and had 26000 empty pages
mostly caused by spammers, so someone(tm) will likely need to find a
way to change how we handle wiki user accounts to fix this.
Can't people confirm their account by receiving an email with a link? The same as mailman does. 
Or a captcha?

Ronald.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to