Debian-news is about one simple thing - news about Debian GNU/Linux and the top free distributions based on Debian GNU/Linux.


Security incident on Alioth

Raphael Hertzog explains why Alioth's web server was unavailable for most of the 5th of september.


Alioth's web server was unavailable for most of the 5th of september. It was
simply stopped because we discovered that some script kiddies were running an
IRC proxy. After thorough investigation, we discovered that they exploited a
pmwiki security hole[1] to deface some web pages, to install some malicious php
pages which in turn were used to setup the IRC proxy.

Two pmwiki instances have been put offline, the corresponding project
administrators are already aware of that.

This security alert is over, however we have way too many projects running some
custom-installed web applications. We're going to review everything that is
installed and come up with suggestion to use the packaged (and thus
security-supported) version of the web applications when possible. We'll
probably ask some projects to stop using some web apps and/or to switch to
another supported one.

However, it would be of great help if all project administrators could check
what they have installed [2] and remove whatever they are not using. Remember
that a service like alioth is of great use for everybody, but its openness is
also its weakness: do not forget the security implications of your
actions. And if you find something suspicious, please don't hesitate to

Migration of Alioth to a new host

On a related matter, we're preparing the move of Alioth to a new (and bigger)
machine (called, and we'll make use of that opportunity to
further strengthen the security measures as well as add more security checks.

This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o
( on a single host. This also means that the transition can't
be 100% transparent as we will only keep home directories and cron jobs from
haydn.d.o. The files from costa will be made available on the new host during a
transition period but it wouldn't hurt if you could already clean up your home
directories and put costa files that you'd like to keep on alioth.

There's no fixed date for the move yet, but it's likely to happen in the
upcoming weeks. We'll send another notice in time.

Thanks for your comprehension and for your help!

Raphael H.
on behalf of the Alioth admins

[2] Check /var/lib/gforge/chroot/home/groups/ / (and what's in htdocs
and cgi-bin in particular) as well as what you can have installed in your
~/public_html/ directory.

— Raphaël Hertzog Premier livre français sur Debian GNU/Linux :

No Response to “Security incident on Alioth” »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Debian-News is not related to the Debian Project.
All logos and trademarks on this site are property of their respective owners.