+1
On Thursday, 18 April 2013 05:04:47 UTC+10, Andrew Wagner wrote:
>
> Just wanted to say, awesome job with this. I appreciate your diligence!
>
>
> On Wed, Apr 17, 2013 at 2:50 PM, Phil Hagelberg
> > wrote:
>
>>
>> Update: thanks to an older backup from Ivan Kozik, we've been able to
>> verify
For the sake of completeness I've included Alex Osborne's analysis of
the situation below. (Alex runs Clojars.)
-Phil
The really annoying thing about security is it's impossible to
conclusively prove at any time anything is s
Andrew Wagner writes:
> Just wanted to say, awesome job with this. I appreciate your diligence!
Thanks! Luckily part of my job at Heroku is to keep an eye out for this
kind of thing, so that's why I'm able to spend more cycles on it when
issues do arise. But Alex Osborne, Ivan Kozik, and Nelson
Update: I've manually reviewed a diff[1] of all changes to jars
published since the intrusion. I found nothing suspicious in the diff,
but I did see a couple instances of bytecode in it. Two of them were
just bytecode being removed, but in one of them the bytecode changed
when the new copy was red
Just wanted to say, awesome job with this. I appreciate your diligence!
On Wed, Apr 17, 2013 at 2:50 PM, Phil Hagelberg wrote:
>
> Update: thanks to an older backup from Ivan Kozik, we've been able to
> verify the
> integrity of all but 45 jars. It's likely these were legitimate
> redeployments
Update: thanks to an older backup from Ivan Kozik, we've been able to verify the
integrity of all but 45 jars. It's likely these were legitimate redeployments by
the maintainers, but I'm going to be reviewing the diffs by hand.
I've attached a list of jars which haven't been verified. If your dep
Phil Hagelberg writes:
> If you run a private proxying internal repository for your company, you
> can help us verify checksums. I'll be posting a follow-up soon with some
> code you can use to calculate and publish checksums so we can
> investigate discrepancies.
Update: Hugo Duncan pointed out
Whata an [ANN] !!!
Please change the subject to [linode-compromise "1.0.0"]
:)
--
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be
Today Linode announced that their database was attacked[1]. Clojars is
hosted on Linode, and while we have no evidence that the attackers used
their access to break into the VPS instance which hosts Clojars, we
can't rule out the possibility. Other VPS instances[2] have been broken
into.
Apparent
