Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cbi-dev] repo.eclipse.org credentials leak
  • From: Denis Roy <denis.roy@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 19 Feb 2021 13:50:54 -0500
  • Autocrypt: addr=denis.roy@xxxxxxxxxxxxxxxxxxxxxx; prefer-encrypt=mutual; keydata= mQENBFSQVYcBCACphCllQd59H3sF23T1XUD8h6pNPvRwuKKpfcwTAL7qe98PbMBQBLuy3ocj 04PcvlRj8lCR9JmChFc9V5Bi61MTdCrshEbiyomw/ZWdfFbmc4/rlMWg00gTO94SP0zMl96x np0aNi8cGwD258NUVD1+tlvraukr6yixD25qCGQ313lOO71l1R8eJun/Kx7SEFXtMFJ7Er4r /QnfFioFFwWGiUXbGhioCZhggQWnq3U+LOZzGKp0SuWSQuu0RzQB57Fy8EN2bmX61EKGaFnr TR/8yk8EdifupYgDc6XCxndktFJYFse4v4XQSPNIIUwcBT/Ji732xdXiR4YnL0SNAVBDABEB AAG0NkRlbmlzIFJveSAoRWNsaXBzZSkgPGRlbmlzLnJveUBlY2xpcHNlLWZvdW5kYXRpb24u b3JnPokBOAQTAQIAIgUCWWjoCAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQQI23 cA21ZyMHGgf/THQqUR43XqUhSytf3q0Wmq1KBCDUpLXQYfpe1uh464robj4iUsoCMDhlEzbU uy0p+de87aVv68ZGRPOlz0oIt80NZbHxLErhunjFGhJvnw/V5jf2lYThiWysDcQMUSIGERuy 3wIyVFVF4RDZB4jjvrPvQ/dy+x+mN38t76C8x5sp4oup19sy9u4EUzPpEInBNs8ADoKO9kOl ZbTOkIFSqC4aI0yABRMbur+mks+b9IaVVQytK4zlzTROuBNHnjx6kgfAV5L8ezQpgBkVLrLw HwB+Rmsnx/qbRXrRmESiiD6aVQQntkfj0zXK/XzMpm1+9qxA8TBj6nFXo/ivNqDx7LkBDQRU kFWHAQgAy/xnfKzcxiCyHtP2a3mbRW04xMwDoLWj+3khfudiHgQWNLDiN/oTAJag5cOrh17L ewRDuhEctJ71Nb+bkMNHvJvq5KC0oB1x54ocQGa493Q/9irIYaEbXVcVqyggmTO6lPvLcA9+ mdQZNvfFlnxS05z+c2CvNNqhgrFU4xS6MTuGEA6oduha0mbDodPKNBh8MkL7OjlYO/44H4l0 MsBYJ57QhQqeOVv1C8Sc2hstk8ZcCc3G2W29Beh0Li5WFYf7F8L0JtxuDSLGisWJL5cAZvdE Zrd/BNAOE02+fANl9iYkX+pG1rjYMdtm/UpLo38jovcyWhOc+TE7qab72wO8iQARAQABiQEf BBgBAgAJBQJUkFWHAhsMAAoJEECNt3ANtWcjxEMH/Rer0weIKA1jV72FNQpHaKuGuUmqW6ak qQHSRKZEECjTa9E1M/Mvdr21qE/zYR7tFD9zc2wqhxBDBD8azKQLZo2TSTnqyUPdr2Dy3KFS FoavCvaVzEt7c3sA/TxXWXQhxGJL56yj2VZaF+k7j/DtYl6nG62bS0rQbg/3/RllmXa51QIT V5ZPnTo6NFJ5K3lbn7EoQbVT2LdkPmabPqw6DT+ZjQlJS3Q8iI0wSoS6r9D7QQG/VaeKGjoK TRDRn/5YUnof4vjpao8jIRMJ+5RBlRto96jwt7hfNm842GsqT4ddMyYmTLGnYLUae9rl2GmN ahBMbQ9PB8Ta/DeCpIxpOyk=
  • Delivered-to: cbi-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/cbi-dev/>
  • List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>
  • User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0

All,

On Feb 16th 2021, we received a security report about secrets in the main Jiro repository. This report was correct. On March 18th 2020, the secrets were committed inside the repository.


The secrets were deployment credentials for the Nexus application running on repo.eclipse.org. While the credentials themselves were encrypted, the master password was also part of the leak. While this master password was not in clear text, it is fairly easy to decode it and then use it to decrypt the credentials.

We managed to validate - to the best of our knowledge - that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything.


As far as your release bits are concerned, you are safe and do not have to do anything. Regarding your snapshot, we’ve been pruning unused snapshots (for more than 60 days) from the repositories. We suggest you start building new snapshot versions of all used artifacts. Feel free to reach out to webmasters if you want to have a list of those.

We'll be publishing a full postmortem for this event in the days to come.


--

Denis Roy

Director, IT Services | Eclipse Foundation

Eclipse Foundation: The Community for Open Innovation and Collaboration

Twitter: @droy_eclipse


Back to the top