[opensuse-factory] Several openSUSE services disabled due to a security breach
Dear openSUSE Community, We have been informed of a security breach of the MF authentication system used by several openSUSE services. As a result, the openSUSE services using this authentication method are immediately being set to read-only mode/preventing authentication. This includes the openSUSE OBS, wiki, and forums. The scope and impact of the breach is not yet fully clear. The disabling of authentication is to ensure the protection of our systems and user data while the situation is fully investigated. Based on the information available at this time, there is a possibility that the breach is limited to users of non-openSUSE infrastructure that shares the same authentication system. Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp https://status.opensuse.org/ can be used to monitor the status of the services as the incident is further investigated. We do not believe any of the openSUSE Download infrastructure has been compromised, as it does not interact with the MF authentication system. Therefore www.opensuse.org , download.opensuse.org and software.opensuse.org remain operational and safe for all of our users to use. Thank you all for your understanding and support, and expect a further update as soon as we have more information. Regards, -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
It is absolutely bad practice to click on a login link from an email. It is especially bad to use any such link that goes to any other domain than the one you intend. If there is some problem with logging in to *.opensuse.(com|org|net), then without some sort of extreme certainty, you should never follow anyone's link to solve that to something else like login.microfocus.com Even if this is all legit, its wrong to ask users to do it, as it is training in harmful behavior. You should provide directions, not actual links, that describe to go to some main opensuse front page, and proceed from there. Even if in the end, you do wind up at the microfocus page, you got there from a trusted starting point which was an opensuse front page, and you didn't get to that front page by clicking on a link. -- bkw On 5/12/2017 10:38 AM, Richard Brown wrote:
Dear openSUSE Community,
We have been informed of a security breach of the MF authentication system used by several openSUSE services.
As a result, the openSUSE services using this authentication method are immediately being set to read-only mode/preventing authentication.
This includes the openSUSE OBS, wiki, and forums.
The scope and impact of the breach is not yet fully clear. The disabling of authentication is to ensure the protection of our systems and user data while the situation is fully investigated.
Based on the information available at this time, there is a possibility that the breach is limited to users of non-openSUSE infrastructure that shares the same authentication system.
Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp
https://status.opensuse.org/ can be used to monitor the status of the services as the incident is further investigated.
We do not believe any of the openSUSE Download infrastructure has been compromised, as it does not interact with the MF authentication system.
Therefore www.opensuse.org , download.opensuse.org and software.opensuse.org remain operational and safe for all of our users to use.
Thank you all for your understanding and support, and expect a further update as soon as we have more information.
Regards,
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dear Richard, dear openSuSE Community, thanks for informing us about it. In the face of the largest ransomware attack, the world has seen until today, https://www.theguardian.com/society/live/2017/may/12/england-hospitals-cyber... (Thanks to the NSA for that), doesn't this implies, that major authentication infrastructure of openSUSE still bases on pityful Windows systems or is this just a coincidence? Best regards, Hans-Peter Jansen On Freitag, 12. Mai 2017 16:38:17 Richard Brown wrote:
Dear openSUSE Community,
We have been informed of a security breach of the MF authentication system used by several openSUSE services.
As a result, the openSUSE services using this authentication method are immediately being set to read-only mode/preventing authentication.
This includes the openSUSE OBS, wiki, and forums.
The scope and impact of the breach is not yet fully clear. The disabling of authentication is to ensure the protection of our systems and user data while the situation is fully investigated.
Based on the information available at this time, there is a possibility that the breach is limited to users of non-openSUSE infrastructure that shares the same authentication system.
Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp
https://status.opensuse.org/ can be used to monitor the status of the services as the incident is further investigated.
We do not believe any of the openSUSE Download infrastructure has been compromised, as it does not interact with the MF authentication system.
Therefore www.opensuse.org , download.opensuse.org and software.opensuse.org remain operational and safe for all of our users to use.
Thank you all for your understanding and support, and expect a further update as soon as we have more information.
Regards,
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Richard Brown wrote:
Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp
BTW: The above web page is a messy redirection hell. I'd never implement such a mess for a secure account management. Ciao, Michael.
El 13-05-2017 a las 10:50, Michael Ströder escribió:
Richard Brown wrote:
Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp
BTW: The above web page is a messy redirection hell. I'd never implement such a mess for a secure account management.
That also ends with permission denied.. so one cannot change the password as I just tried.. (which btw unless it was passed through the wrong kind of hash / KDF it should take the remaining age of the universe to be cracked ..) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Brian K. White
-
Cristian Rodríguez
-
Hans-Peter Jansen
-
Michael Ströder
-
Richard Brown