Hey, Due to a security issue in the moinmoin wiki software, the FreeBSD wiki will be offline for a bit. I do not yet know if the issue actually has been exploited in the FreeBSD wiki (haven't had the time yet to examine it), but I took the wiki down just in case. Note that even if the software was compromised, it was considered untrusted from the start and as such heavily sandboxed (including jailed) to keep it away from any sensitive FreeBSD.org parts, so there is absolutely no reason to believe a compromise would go any further than the wiki itself. I hope to have the wiki back within 24 hours, assuming not too much gets in the way. For further reference see: http://moinmo.in/SecurityFixes and http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 . PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise. -- Simon L. B. Nielsen Hat: FreeBSD clusteradm / FreeBSD Security Officer
Hey, tl;dr Wiki is back, and everybody with account need to reset their password. On 4 January 2013 22:38, Simon L. B. Nielsen <simon at freebsd.org> wrote:> Due to a security issue in the moinmoin wiki software, the FreeBSD > wiki will be offline for a bit. I do not yet know if the issue > actually has been exploited in the FreeBSD wiki (haven't had the time > yet to examine it), but I took the wiki down just in case. > > Note that even if the software was compromised, it was considered > untrusted from the start and as such heavily sandboxed (including > jailed) to keep it away from any sensitive FreeBSD.org parts, so there > is absolutely no reason to believe a compromise would go any further > than the wiki itself. > > I hope to have the wiki back within 24 hours, assuming not too much > gets in the way. > > For further reference see: http://moinmo.in/SecurityFixes and > http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 . > > PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise.The wiki is back now. Looking at logs it there were people attempting to exploit this back in July but I do not think they actually succeeded. It seemed to mostly automated bot and not a target attempt. The wiki has been reinstalled from scratch and users and pages were copied. As I did a very selective copy it's entirely possible I made the wiki unhappy, so let me know if you see issues. Just to be extra safe I have reset all password, so everybody will need need to use the standard account recovery process to set a new password. On a side note we have ~23000 user accounts and had 26000 empty pages mostly caused by spammers, so someone(tm) will likely need to find a way to change how we handle wiki user accounts to fix this. PS. only reason I could see that they tried back in July was that I found out I had forgotten to set up log rotation, so the wiki logfile was over 3GB :-). (It was the internal log file which doesn't contain user IP's so privacy part isn't really an issue.) -- Simon L. B. Nielsen Hat: clusteradm
On 01/08/2013 09:08 AM, Alexander Yerenkow wrote:> http://wiki.freebsd.org/ZFSTuningGuide > > Seems not working :) >Works here!
Hi, On Tue, 8 Jan 2013 10:08:33 +0200 Alexander Yerenkow <yerenkow at gmail.com> wrote:> http://wiki.freebsd.org/ZFSTuningGuideError 503 Service Unavailable Service Unavailable Guru Meditation: XID: 931036950 Varnish cache server is all I get. Erich
On 01/08/2013 09:32 AM, Alexander Yerenkow wrote:> > > 2013/1/8 Bas Smeelen <b.smeelen at ose.nl <mailto:b.smeelen at ose.nl>> > > On 01/08/2013 09:08 AM, Alexander Yerenkow wrote: > > http://wiki.freebsd.org/ZFSTuningGuide > > Seems not working :) > > > Works here! > > > Hm, could you look at this: > ping wiki.freebsd.org <http://wiki.freebsd.org> > PING wfe0.ysv.freebsd.org <http://wfe0.ysv.freebsd.org> (8.8.178.110)That's strange. When I go to http://wiki.freebsd.org/ZFSTuningGuide it works. But when I go to wiki.freebsd.org I get the same Error 503 $ ping wiki.freebsd.org PING wfe0.ysv.freebsd.org (8.8.178.110) 56(84) bytes of data. 64 bytes from wfe0.ysv.FreeBSD.org (8.8.178.110): icmp_req=1 ttl=54 time=160 ms <http://wiki.freebsd.org/ZFSTuningGuide>> > > > Error 503 Service Unavailable > > Service Unavailable > Guru Meditation: > > XID: 931032464 > > Varnish cache server
On 01/08/2013 09:37 AM, Erich Dollansky wrote:> Hi, > > On Tue, 8 Jan 2013 10:08:33 +0200 > Alexander Yerenkow <yerenkow at gmail.com> wrote: > >> http://wiki.freebsd.org/ZFSTuningGuide > Error 503 Service Unavailable > > Service Unavailable > > Guru Meditation: > > XID: 931036950 > > Varnish cache server > > is all I get. > > Erichhttp://wiki.freebsd.org/ThwackAFAQ http://wiki.freebsd.org/ <http://wiki.freebsd.org/ThwackAFAQ> same Error 503 as above But http://wiki.freebsd.org/ZFSTuningGuide works in two different browsers, refreshed the page several times and have no proxy in between.