Echipa PHP a anuntat ca duminica trecuta, atacatori au reusit sa aiba acces la serverul sau principal Git, incarcând doua comiteri rau intentionate (ce pretindeau ca remediaza o "greseala de scriere” in codul sursa), inclusiv un backdoor. Aceste comiteri au fost imediat observate si anulate si, astfel, nu au ajuns niciodata la utilizatorii finali .

Ca raspuns la hack, echipa PHP isi muta serverele catre GitHub, facându-le canonice.

Ancheta cu privire la cauza principala si scopul exact al compromiterii sunt inca in desfasurare, prin urmare lansarile vor fi suspendate timp de doua saptamâni, presupunând ca nu vor fi descoperite alte probleme. Iata si anuntul:

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don't have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you're currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We're reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]:
https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d
and
https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a

Source: php.net

  • What is your reaction?
  • powered by Verysign
  • like gnulinux.ro
    Like
  • unmoved gnulinux.ro
    Unmoved
  • amused gnulinux.ro
    Amused
  • excited gnulinux.ro
    Excited
  • angry gnulinux.ro
    Angry
  • sad gnulinux.ro
    Sad
TENDINTA  |  Linux vs. Windows - the eternal battle or the end of the war?
FlorinM                   gnulinux.ro
FlorinM
Utilizator Linux - Solus OS, pasionat de calatorii.
2266 articole
In context



  • Comment
  • powered by Verysign

Nici un comentariu inca. Fii primul!