A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material.
The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings.
“There’s been a SQL injection leading to leaking of encrypted account
passwords, some of them discovered by brute-force attack, leading in
turn to project membership access. We’re reinstalling the system and restoring the data from a safe backup, November 23th circa 12:00 GMT. Please prepare to recommit your changes since that date. While effort was made in the past to fix injection vulnerabilities in
the Savane2 legacy codebase, it appears this was not enough :/,” the group said in its notice.
Savannah is a part of the Free Software Foundation and is used as a hosting platform for free software projects, specifically GNU-based projects. A cached version of the Savannah site says that it is meant to be a “central point for development, maintenance and
distribution of official GNU software.” There is a separate site for non-Gnu free software projects. GNU is a free operating system maintained by the Free Software Foundation.
In comments on the Savannah site, volunteers said that only one project was affected by the compromise, but they didn’t specify which project.
There have been other attacks against free and open-source software projects in recent years, with some resulting in compromises of software that weren’t discovered until well after the fact. One of the more recent examples was the attack last year on the Apache Software Foundation, which was the result of the compromise of an SSH key the group used. That attack resulted in some files that were uploaded by the attackers being synced to the foundation’s production Web server, although it didn’t affect the Apache code base itself. The foundation was open and forthcoming about the incident from the outset and was widely praised in the security community for its transparent response to the attack.