Savannah, SQL Injection, Passwords, and Security Posture
simon at josefsson.org
Mon Dec 6 15:51:39 CET 2010
Jeffrey Walton <noloader at gmail.com> writes:
> Hi All,
> According to http://savannah.gnu.org/, the server was down for a few
> days due to a SQL Injection. Because the server did not properly
> sanitize its data, the password database was compromised.
> Today, I tried to change my password to a similar password.
> Surprisingly, the change was rejected because the password was too
> similar. The "surprising" part is it appears GNU is storing passwords
> in plain text.
> I'm going out on the limb and guessing that free software stored the
> passwords in the plain text. "Password Security: A Case History" by
> Morris and Thompson was written in the 1970s. Sadly, GNU has totally
> punned lessons learned in the past.
If you join the Savannah project, I'm sure they could use your help. I
know that they need more manpower.
> The GnuTLS project happily uses dangerous string function. Use of the
> functions appears unaudited, suffering unchecked buffer overflows and
> truncations. In fact, the project took a buffer overflow report today
> due to a call to sprintf. Sadly, GNU has totally punned lessons
> learned in the past (again).
Again, without volunteers to do the work, it won't improve.
> Would someone be able to provide GNU's policy regarding application
> security and proper use of cryptography in GNU projects. "GNU Coding
> Standards" (http://www.gnu.org/prep/standards/standards.html) does not
> address anything security related. I'm very interested in learning
> about GNU's security posture.
To improve the document, you can send contributions to
bug-standards at gnu.org.
More information about the Gnutls-devel