Michael Stahnke
2012-Mar-06 18:02 UTC
Statement from Puppet Labs regarding Github Compromise
Over the weekend, we saw github[1] had been attacked, and potentially malicious code was pushed onto the rails project. This was concerning to us at Puppet Labs as we host nearly 100% of our code with github. Our course of action ran as follows: 1. We first checked our Rails based applications for the mass assignment[2][3] issues. This includes the Puppet Forge and Puppet Dashboard. It was determined that neither of these products were vulnerable to mass assignment issues. Other projects using ActiveRecord (without rails) were also verified. 2. We checked our repositories for suspicious commits. During the time of the compromise of github, the attacker could have created a phony git setup and pushed onto one of our projects with a malicious commit. For puppet, facter and dashboard we get notified when a push happens onto a branch. We saw no out-of-place commits occur. Those repositories, and others repositories are being hand-reviewed/audited for anything odd in the last two weeks. This includes repositories for mcollective, puppet modules, and packaging. Github also made a statement saying they have "determined that no malicious intent was present"[4] in the compromise. At this time, Puppet Labs also believes no harm was done as a result of this github compromise, to our projects. As a reminder, Puppet Labs practices Responsible Disclosure[5]. If you ever have questions or concerns about our security practices, contact us security@puppetlabs.com or see our security page[6]. Thanks, Michael Stahnke Community Manager [1]https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation [2]http://guides.rubyonrails.org/security.html#mass-assignment [3]http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/ [4]https://github.com/blog/1069-responsible-disclosure-policy [5]http://en.wikipedia.org/wiki/Responsible_disclosure [6]http://puppetlabs.com/security/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.