Hi Bob,
Our CI builds rely on Conan recipes that reference the git project to
download source of package dependencies, in this case gnu-config:
https://github.com/conan-io/conan-center-index/blob/master/recipes/gnu-config/all/conandata.yml
This recipe attempts to download by getting
"http://git.savannah.gnu.org/cgit/config.git/snapshot/config-191bcb948f7191c36eefe634336f5fc5c0c4c2be.tar.gz";
Do we have an alternative download mirror or an ETA for cgit access to
be available again?
Thanks!
Ariel
> From: Bob Proulx
> Subject: git /cgit/ DDOS attack, rsync security
> Date: Mon, 20 Jan 2025 15:54:01 -0700
>
> Savannah Users,
>
> GIT's CGIT
> ==========
>
> Since Friday our site has been under the strain of a massive botnet
> DDOS attack against our git /cgit/ web UI interface and the svn
> /viewvc/ web UI interface. These might be independent. The CGIT
> attack is the larger of the two. It's the largest botnet I have seen
> thrown against us so far.
>
> Initially on Friday it took our entire site down for all HTTP based
> transactions. That is certainly NOT GOOD. In order to cope with the
> onslaught I had to disable /cgit/ so that other parts of the site
> could be operational. Sorry for the inconvenience. I don't want to
> give them clues but the /gitweb/ web browsing UI has not been targeted
> and it is still online and operational.
>
> Additionally we were also dealing with the rsync issues and were
> limited in being able to do everything we wanted to do all at once.
> Work is proceeding and hopefully there will be a positive report to be
> made on this at some point soon.
>
> rsync
> =====
>
> As many of you know there were several rsync security vulnerabilities
> disclosed this past week. These were high profile vulnerabilities
> because taken together they enable a RCE Remote Code Execution attack.
> This threw the Internet's security teams into a frenzy.
>
> https://kb.cert.org/vuls/id/952657
>
> One advantage of our unique configuration is that to the best of our
> knowledge we believe we were never vulnerable to the RCE attack,
> though we were partially vulnerable to CVE-2024-12085, as the "nobody"
> user if it were exploited.
>
> CVE-2024-12085 When Rsync compares file checksums, a vulnerability
> in the Rsync daemon can be triggered. An attacker could manipulate
> the checksum length (s2length) to force a comparison between the
> checksum and uninitialized memory and leak one byte of
> uninitialized stack data at a time.
>
> So far we have seen no evidence of any exploitation of our servers.
> But attacks these days are never just a single exploit. Attacks keep
> getting stronger. Multiple exploits are chained together. This
> vulnerability, if exploited, would have been only one link in a longer
> chain of several exploits.
>
> Out of an abundance of caution we are taking various actions to
> mitigate these security threats.
>
> Bob
