[Fwd: Security Breach Alert - CVS Home File Download Area Compromised]

Mon Jan 24 16:23:02 2005

For all you CVS users and admins out there.  This just came across the CVS
mailing list today.

Alan

-------- Original Message --------
Subject: Security Breach Alert - CVS Home File Download Area Compromised
Date: Mon, 24 Jan 2005 13:45:07 -0800
From: Conrad T. Pino <Conrad@Pino.com>
To: <announce-binaries@ccvs.cvshome.org>, "Bug CVS" <bug-cvs@gnu.org>,
"Info CVS" <info-cvs@gnu.org>
CC: Brian Noble <BNoble@Collab.Net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

It's been brought to my attention the "*.sig" files in the Max OS X
can't be downloaded as they appear to have zero file size.  I have
confirmed this report and have confirmed the issue in the Solaris
i386 area as well.

On further investigation of a limited sample set, every file I have
sampled now downloads with a substantially larger size than the size on
the download page and larger than the size of the reference copy I
maintain.

Although my sample size is quite small the error rate is 100% which I
believe is sufficient cause to raise an alarm.

Until such time as the state of www.cvshome.org can be determined, I
recommend the CVS community refrain from downloading files or do so with
extreme caution.

I would appreciate all binary maintainers please sample their uploads
and report deviations to Brian Noble of Collab Net who is copied in this
message.

I would appreciate someone stepping forward to assume responsibility for
coordinating an investigation into this issue.

Best regards,

Conrad T. Pino
(510) 848-3929

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfVsYrNM28ubzTo9EQLDaACdF+j1YPDchv5Lz4iDI9yptoQq11kAn3C0
+oEtYdKUiPrwpZFqGWc74kaH
=MUnr
-----END PGP SIGNATURE-----

_______________________________________________
Info-cvs mailing list
Info-cvs@gnu.org
http://lists.gnu.org/mailman/listinfo/info-cvs