We’ve learned that savannah.gnu.org (used as a central code repository for many GNU projects – gcc, etc) has been hacked and is currently offline. They posted some details on their site explaining what is going on: savannah.gnu.org
Savannah is currently down – details to follow.
There’s been a SQL injection leading to leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access.
We’re reinstalling the system and restoring the data from a safe backup, November 23th circa 12:00 GMT.
Please prepare to recommit your changes since that date.
While effort was made in the past to fix injection vulnerabilities in the Savane2 legacy codebase, it appears this was not enough :/
No firm ETA for the return online yet (but during the week).
* 2010/11/29 21:30 GMT: access to the base host restored, extracting incremental backup from the 23th
* 2010/11/29 23:30 GMT: finished diagnosing original attack
* 2010/11/30 12:30 GMT: data transfers in progress
* 2010/11/30 13:30 GMT: read-only access to source repositories
* 2010/11/30 14:30 GMT: write access to source repositories
* 2010/11/30 16:30 GMT: data transfers finished
* 2010/11/30 18:00 GMT: access to downloads and GNU Arch
What we’ve learned is the attackers exploited a SQL injection vulnerability, got access to all passwords and probably access to some projects through the exploit. If you have an account at Savannah (and like to re-use passwords), change them as soon as possible.