[opensuse-ja] Fw: [opensuse-announce] Several openSUSE services disabled due to a security breach
鎌田@翻訳人です。 opensuse-announce, opensuse-factory, opensuse-projectにそれぞれ 流されていますが、多要素認証(MF)の部分にセキュリティ上の欠陥が見つかった ため、ユーザ認証が一時的に止まっているほか、サービスによっては 停止していたり、書き込み不可になっていたりするようです。 openSUSEそのもののダウンロードについては、software.opensuse.orgが 止まっていますが、download.opensuse.orgを直接利用すれば通常通り ダウンロードできるようです。 詳細は下記に記されています。 https://status.opensuse.org/ 現時点(2017/05/13 08:45)では下記のような状況です。 [停止中のもの] Authentication system (認証システム) Software (software.opensuse.org のページ) Build Service (build.opensuse.org) Feature - and Requirements Management System (機能要望) [書き込み不可に設定されているもの] Events and conferences (イベントとカンファレンス) Connect - The Social network (ソーシャルネットワークとの接続) openQA (自動テストツール) Progress - The Project management tool (進捗管理ツール) 以上です。 Begin forwarded message: Date: Fri, 12 May 2017 16:38:17 +0200 From: Richard Brown <RBrownCCB@opensuse.org> To: opensuse-project <opensuse-project@opensuse.org>, oS-fctry <opensuse-factory@opensuse.org>, "opensuse-announce@opensuse.org" <opensuse-announce@opensuse.org> Subject: [opensuse-announce] Several openSUSE services disabled due to a security breach Dear openSUSE Community, We have been informed of a security breach of the MF authentication system used by several openSUSE services. As a result, the openSUSE services using this authentication method are immediately being set to read-only mode/preventing authentication. This includes the openSUSE OBS, wiki, and forums. The scope and impact of the breach is not yet fully clear. The disabling of authentication is to ensure the protection of our systems and user data while the situation is fully investigated. Based on the information available at this time, there is a possibility that the breach is limited to users of non-openSUSE infrastructure that shares the same authentication system. Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp https://status.opensuse.org/ can be used to monitor the status of the services as the incident is further investigated. We do not believe any of the openSUSE Download infrastructure has been compromised, as it does not interact with the MF authentication system. Therefore www.opensuse.org , download.opensuse.org and software.opensuse.org remain operational and safe for all of our users to use. Thank you all for your understanding and support, and expect a further update as soon as we have more information. Regards, -- To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-announce+help@opensuse.org -- Yasuhiko Kamata E-mail: belphegor@belbel.or.jp -- To unsubscribe, e-mail: opensuse-ja+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ja+owner@opensuse.org
鎌田@翻訳人です。 下記の件、ようやく復旧したようです。 ※ OBSの自前インスタンスもapi.opensuse.orgを参照しているので、 これが止まるとビルドもできなくなっちゃうんですね・・ 今更気がつきました。 以上です。 On Sat, 13 May 2017 08:51:24 +0900 Yasuhiko Kamata <belphegor@belbel.or.jp> wrote:
鎌田@翻訳人です。
opensuse-announce, opensuse-factory, opensuse-projectにそれぞれ 流されていますが、多要素認証(MF)の部分にセキュリティ上の欠陥が見つかっ たため、ユーザ認証が一時的に止まっているほか、サービスによっては 停止していたり、書き込み不可になっていたりするようです。
openSUSEそのもののダウンロードについては、software.opensuse.orgが 止まっていますが、download.opensuse.orgを直接利用すれば通常通り ダウンロードできるようです。
詳細は下記に記されています。 https://status.opensuse.org/
現時点(2017/05/13 08:45)では下記のような状況です。
[停止中のもの] Authentication system (認証システム) Software (software.opensuse.org のページ) Build Service (build.opensuse.org) Feature - and Requirements Management System (機能要望)
[書き込み不可に設定されているもの] Events and conferences (イベントとカンファレンス) Connect - The Social network (ソーシャルネットワークとの接続) openQA (自動テストツール) Progress - The Project management tool (進捗管理ツール)
以上です。
Begin forwarded message:
Date: Fri, 12 May 2017 16:38:17 +0200 From: Richard Brown <RBrownCCB@opensuse.org> To: opensuse-project <opensuse-project@opensuse.org>, oS-fctry <opensuse-factory@opensuse.org>, "opensuse-announce@opensuse.org" <opensuse-announce@opensuse.org> Subject: [opensuse-announce] Several openSUSE services disabled due to a security breach
Dear openSUSE Community,
We have been informed of a security breach of the MF authentication system used by several openSUSE services.
As a result, the openSUSE services using this authentication method are immediately being set to read-only mode/preventing authentication.
This includes the openSUSE OBS, wiki, and forums.
The scope and impact of the breach is not yet fully clear. The disabling of authentication is to ensure the protection of our systems and user data while the situation is fully investigated.
Based on the information available at this time, there is a possibility that the breach is limited to users of non-openSUSE infrastructure that shares the same authentication system.
Regardless, is recommended that all users of the affected services and openSUSE bugzilla change their password at the following link: https://secure-www.novell.com/selfreg/jsp/protected/manageAccount.jsp
https://status.opensuse.org/ can be used to monitor the status of the services as the incident is further investigated.
We do not believe any of the openSUSE Download infrastructure has been compromised, as it does not interact with the MF authentication system.
Therefore www.opensuse.org , download.opensuse.org and software.opensuse.org remain operational and safe for all of our users to use.
Thank you all for your understanding and support, and expect a further update as soon as we have more information.
Regards, -- To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-announce+help@opensuse.org
-- Yasuhiko Kamata E-mail: belphegor@belbel.or.jp -- To unsubscribe, e-mail: opensuse-ja+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ja+owner@opensuse.org
-- Yasuhiko Kamata E-mail: belphegor@belbel.or.jp -- To unsubscribe, e-mail: opensuse-ja+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-ja+owner@opensuse.org
participants (1)
-
Yasuhiko Kamata