From owner-freebsd-stable@FreeBSD.ORG Sun Jan 6 20:46:09 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2059D65B for ; Sun, 6 Jan 2013 20:46:09 +0000 (UTC) (envelope-from ronald-freebsd8@klop.yi.org) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.78]) by mx1.freebsd.org (Postfix) with ESMTP id C62F417A8 for ; Sun, 6 Jan 2013 20:46:08 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Trx6c-0006Tl-1l for freebsd-stable@freebsd.org; Sun, 06 Jan 2013 21:46:06 +0100 Received: from h253044.upc-h.chello.nl ([62.194.253.44] helo=pinky) by smtp.greenhost.nl with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1Trx6c-0007Oq-4E for freebsd-stable@freebsd.org; Sun, 06 Jan 2013 21:46:06 +0100 Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes To: freebsd-stable@freebsd.org Subject: Re: FreeBSD wiki offline for a bit References: Date: Sun, 06 Jan 2013 21:46:05 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.12 (Win32) X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: 0.8 X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.1 X-Scan-Signature: 729ef2e9e2cd27dd49f9ca04774c95e6 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2013 20:46:09 -0000 On Sun, 06 Jan 2013 21:40:50 +0100, Simon L. B. Nielsen wrote: > Hey, > > tl;dr Wiki is back, and everybody with account need to reset their > password. > > On 4 January 2013 22:38, Simon L. B. Nielsen wrote: >> Due to a security issue in the moinmoin wiki software, the FreeBSD >> wiki will be offline for a bit. I do not yet know if the issue >> actually has been exploited in the FreeBSD wiki (haven't had the time >> yet to examine it), but I took the wiki down just in case. >> >> Note that even if the software was compromised, it was considered >> untrusted from the start and as such heavily sandboxed (including >> jailed) to keep it away from any sensitive FreeBSD.org parts, so there >> is absolutely no reason to believe a compromise would go any further >> than the wiki itself. >> >> I hope to have the wiki back within 24 hours, assuming not too much >> gets in the way. >> >> For further reference see: http://moinmo.in/SecurityFixes and >> http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 . >> >> PS. this is entirely unrelated to the 2012 November FreeBSD.org >> compromise. > > The wiki is back now. > > Looking at logs it there were people attempting to exploit this back > in July but I do not think they actually succeeded. It seemed to > mostly automated bot and not a target attempt. > > The wiki has been reinstalled from scratch and users and pages were > copied. As I did a very selective copy it's entirely possible I made > the wiki unhappy, so let me know if you see issues. > > Just to be extra safe I have reset all password, so everybody will > need need to use the standard account recovery process to set a new > password. > > On a side note we have ~23000 user accounts and had 26000 empty pages > mostly caused by spammers, so someone(tm) will likely need to find a > way to change how we handle wiki user accounts to fix this. Can't people confirm their account by receiving an email with a link? The same as mailman does. Or a captcha? Ronald.