[gentoo-announce] packages.gentoo.org and other services down

[tomk]

On August 7, 2007, bannedit reported bug 187971 regarding a possible command injection vulnerability within http://packages.gentoo.org. The Infrastructure team verified the vulnerability and the server was immediately taken down to prevent further exploitation and to allow for forensic analysis.

The server hosted the following sites and services:

• archives.gentoo.org
  
• packagestest.gentoo.org
  
• scripts.gentoo.org
  
• archivestest.gentoo.org
  
• kiss.gentoo.org
  
• packages.gentoo.org
  
• stats.gentoo.org
  
• survey.gentoo.org
  

While no ETA is currently available, the affected sites and services will be restored. The affected server will be rebuilt while the packages.gentoo.org service's source undergoes a full security audit prior to being restored. The tree and all other services were unaffected.

If you have any comments or questions please post them to this thread.
_________________
Search | Read | Answer | Report | Strip