-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey Toolserver admins,
I wanted to raise an issue about an ongoing set of attacks against JIRA installations. Yesterday, I received an email from Atlassian indicating that their JIRA installation had been compromised and to reset passwords. Today, the Apache foundation sent me an email regarding the same attack against their own team.
The attack is a XSS attack against JIRA that is now patched (and was patched today, April 13). A good set of details about it are at https://blogs.apache.org/infra/entry/apache_org_04_09_2010
I'm not saying Toolserver's JIRA has been or will be attacked, but the script kiddies behind this seem to be going after high-profile locations so I think it would be prudent to update JIRA when you can just to be safe. I thought I'd let you all know.
Regards, - -- Shirik
Hello, At Wednesday 13 April 2010 22:49:08 Shirik wrote:
I'm not saying Toolserver's JIRA has been or will be attacked, but the script kiddies behind this seem to be going after high-profile locations so I think it would be prudent to update JIRA when you can just to be safe. I thought I'd let you all know.
Thanks for the warning. Because no other root commented on your email today and I saw no jira-update-message in my inbox, I disabled jira now just to be sure (I will speak with river tommorrow morning).
Regards, -- Shirik
Sincerly, DaB.
toolserver-l@lists.wikimedia.org