wiki.debian.org security breach

To: debian-devel-announce@lists.debian.org

Subject: wiki.debian.org security breach

From: Steve McIntyre <93sam@debian.org>

Date: Fri, 4 Jan 2013 14:44:22 +0000

Message-id: <[🔎] 20130104144421.GG4901@einval.com>

Mail-followup-to: debian-devel@lists.debian.org

Dear editors of the Debian wiki, The Debian Security Team recently issued Debian Security Announcement 2593-1 [1] regarding the 'moin' package [2] and a remote arbitrary code execution vulnerability in the twikidraw / anywikidraw components. Debian's wiki [3] is implemented using 'moin' and includes support for the twikidraw component. A review of the apache2 log files for wiki.debian.org reveal that this vulnerability was exploited successfully. As a consequence, the wiki.debian.org service has been moved from the old server to a new server using the fixed package and with a corresponding restructuring of the deployment methodology. We are currently conducting an audit of the old server to determine the extent of the penetration. At this time, we have no evidence to indicate that the intrusion was particularly successful (logs have not been altered; root escalation has not been detected). That said, the audit is ongoing. Should the audit reveal a greater penetration than currently understood, a follow-up email detailing our findings will be issued. At this time, we are resetting all wiki account passwords for safety. Existing wiki account holders will need to follow the password recovery process [4] in order to regain access to their accounts. We apologise for the inconvenience to users. If you have any questions or concerns, please contact the Debian Wiki Administrator Team [5] and/or the Debian System Administration Team [6]. Finally, we'd like to thank Peter Palfrader for reacting quickly to the Debian Security Announcement, taking time away from his conference to move wiki.debian.org to the new server. With kind regards, Steve McIntyre for the Debian Wiki Administrator Team Luca Filipozzi for the Debian System Administration Team [1] http://www.debian.org/security/2012/dsa-2593 [2] http://packages.qa.debian.org/m/moin.html [3] http://wiki.debian.org [4] http://wiki.debian.org/FrontPage?action=recoverpass [5] debian-www@lists.debian.org [6] debian-admin@debian.org -- Steve McIntyre 93sam@debian.org Debian wiki admin - wiki.debian.org