Please read and take appropriate action if any of you accessed JIRA in the last few days.
Shanti ---------- Forwarded message ---------- From: Joe Schaefer <[email protected]> Date: Sat, Apr 10, 2010 at 9:01 AM Subject: [NOTICE] compromised jira passwords To: [email protected] Hello committers@, As you are probably aware we have been working to restore services that have been compromised by a very targetted attack against Apache's jira installation. The good news is that jira is back online, with bugzilla and confluence soon to follow [1]. The bad news is that the hacker was able to rejigger jira's code to sniff any cookies and passwords sent to the server between April 6 and April 9. If you used jira at all this week, including via IDE's that interface via SOAP, it is IMPERATIVE that you take time to immediately reset your jira password, and possibly your ldap password if those match up. If you have admin privs in jira your password was reset by us, so you'll need to use the password reset form in jira to regain access. To have a reset password mailed to your contact information in jira, visit https://issues.apache.org/jira/secure/ForgotPassword!default.jspa<https://issues.apache.org/jira/secure/ForgotPassword%21default.jspa> When you do login to jira be sure to double-check your contact info. To change your ldap password login to people.apache.org and run /usr/sbin/passwd, or else visit https://svn.apache.org/change-password . Thanks for your patience and diligence in this matter. A blog post will be forthcoming which will provide details of the attack and what we have done to mitigate future hack attempts. [1] at this time we do not believe the hacker compromised the confluence and bugzilla installs, but we are awaiting confirmation from our admins before bringing those back online.
