FSF Patches Two-Year-Old Vulnerability Found by AI Researchers in GNU Savannah Repository (fsf.org) 4
The Free Software Foundation's GNU Savannah hosts thousands of free software projects — both GNU and non-GNU projects, including Drupal.
But in early May, security researchers from Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to a new statement Friday from the FSF: We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.
Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.
We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.
Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
But in early May, security researchers from Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to a new statement Friday from the FSF: We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.
Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.
We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.
Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
Doesn't surprise me it took this long... (Score:5, Interesting)
Savannah likes to advertise its thousands of projects and call itself an incubator. I have a small open source project I wanted to move off of Github a couple years ago, and the pain I went through to try and get hosting there was immeasurable. The arrogance they displayed, like they were God's gift to hosting. And the "advertising" requirements they had. Not just the project licensing, which I can understand them wanting to be GPL and which I had no problems with. But the wording in the documentation, needing it to talk up GNU. The changes I had to make in actual functionality too were not insignificant. And the sheer arrogance with which they made these demands. Not all at once in a list. One. By. One. Always in a "Ya, your reply to our last request wasn't good enough... because what about this?" way.
I kept the whole painful email exchange in a separate email folder just in case I ever get tempted to go back. I ended up going with Codeberg, which was simple, easy, and very philosophically compatible.
So it doesn't surprise me they have unpatched problems. Savannah itself is ancient and primitive. The kind of thing a couple hackers whip up in a day which suits them so doesn't need polish. They are far too interested in resting on decades-old laurels than in actually doing good work today.
How long before GNU realizes that its entire code base has been static so long that it's irrelevant and that "GNU/Linux" just isn't a think because there is very little left that hasn't been replaced.
What (Score:3)
I understand being frustrated about your project not being accepted, and I appreciate the Codeberg name drop—but this does not excuse the misinformation in your comment.
Strange word choice (Score:2)
What is the purpose of the word nevertheless in this sentence?
"Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously."
No! Drupal's code is hosted by Gitlab (Score:3)
Drupal's code used to be self hosted by the Drupal Association using plain Git and some custom code wrappers.
But that changed a couple of years ago, where Drupal is now self hosted on an instance running Gitlab.
You can even see the Gitlab logo on the code's page [drupalcode.org].