+-----------------------------------------------------------------+
| ______ ______ _ _ _ |
| /\ / _____) ___ \| | | | | /\ |
| / \ | / ___| | | | | | | | / \ |
| / /\ \| | (___) | | | | | | | / /\ \ |
| | |__| | \____/| | | | |___| | |_____| |__| | |
| |______|\_____/|_| |_|\______|_______)______| |
| |
+-----------------------------------------------------------------+
[Sorry for cross-posting. Feel free to forward around]
Florence, 19 April 2005
+++ Main AGNULA Host attacked (and potentially compromised)
On Sunday, April 16 2005, the main AGNULA host (agnula.speech.kth.se,
hosting
lists.agnula.org,
www.agnula.org,
download.agnula.org,
devel.agnula.org,
muzik.agnula.org and related services) was subject
to an attack (see below). The attacker(s) (whose identity is unknown
as of today) managed to download, *but not succesfully run*, a
backdoor on the system; thanks to the tight security measures
implemented on the host - and after a thorough check of the whole
system - we believe that the latter was *not* compromised.
However, following good security practices and common sense, we can
not guarantee the integrity of the host. Since we had already planned
an extensive upgrade of the server, we decided to go down the safer
route: completely wipe out the system, reinstall everything from
scratch and recover backup data from the day before the attempted
compromise.
The wipeout/installation/recover operations will begin tomorrow (April
20, 2005) early afternoon (approximately 3:00 p.m., Central European
Time). They should be concluded *at most* on Monday (April 25, 2005)
- we actually hope to do everything much quicker, but you will
understand our main concern in this moment is reliability and not
speed. In the meantime, we urge you to use the mirrors at:
*
http://freesoftware.ircam.fr/mirrors/agnula/
*
http://ccrma.stanford.edu/mirrors/agnula/
The mailing lists (including the archives), the main web site, the
AGNULA Libre Music web site, the AGNULA Development platform will be
unusable until after the reinstallation process is finished.
We are quite confident that you can safely download and install the
latest released version of A/DeMuDi (1.2.1-rc2) as well as all the
previous ones, as the relevant ISO images were uploaded on the server
before the attack and we have no tangible proof that they have been
tampered with.
+++ The attack
The attack used a bug in GForge 3.x "scm" subsystem.
We decided not to immediately disclose full information on the type of
the attack; we promptly informed to the maintainers of the affected
program, and we are waiting for the "green light" on their side before
posting details in the wild.
We urge all administrators of GForge-based systems (all 3.x series
seem affected by it) to temporarily disable the "scm" subsystem, until
a proper patch has been issued.
The discovery and the analysis were conducted by Filippo Morelli
<spike(a)miu-ft.org>rg>. We would like to publically thank him for his
prompt action and detailed report, that allowed us to take the
necessary steps very quickly.
+++
About AGNULA: Agnula (acronym for A GNU/Linux Audio distribution,
pronounced with a strong g) is the name of a project funded until
April 2004 by the European Commission (number of contract:
IST-2001-34879; key action IV.3.3, Free Software: towards the critical
mass). After the end of the funded period, AGNULA is continuing its
work, aiming to spread Libre Software in the professional audio/video
arena.
Big thanks to the following institutions for their help in supporting
AGNULA:
- Firenze Tecnologia <http://www.firenzetecnologia.it>
for paying Free Ekanayaka to work full-time on maintaining A/DeMuDi;
- Swedish Royal Institute of Technology <http://www.kth.se/>
for housing the main AGNULA server
- IRCAM <http://www.ircam.fr> and CCRMA <http://ccrma.stanford.edu/>
for providing mirror space and bandwidth
Best regards,
--
The AGNULA Team info(a)agnula.org
Our mailing lists:
http://lists.agnula.org/
Our web site:
http://www.agnula.org/
"There's no free expression without control on the tools you use"