WineHQ database breached; Fedora Project forces password change
Following last month’s compromises of the primary repository for the Linux kernel source code and the websites and infrastructure of the Linux Foundation comes the news that another open source project has been hit.
WineHQ project, the manager of software that enables Linux, Mac, FreeBSD, and Solaris users to run Windows applications, warns of a breach into their databases system.
“What we know at this point that someone was able to obtain unauthorized access to the phpmyadmin utility,” wrote developer Jeremy White. We do not exactly how they obtained access; it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.”
He said that they do not believe that any other form of access to the system was obtained by the attackers, but even that was enough for them to exfiltrate the complete login database for both the Wine Application Database and Bugzilla.
“This means that they have all of those emails, as well as the passwords,” he noted, and added that even though the stored passwords were encrypted, low-quality passwords could be cracked if enough effort was put into it. So, they are resetting all the passwords and notifying users about it.
In the meantime, the Fedora Project has announced that it is asking users to to change their password and upload a new SSH public key before 30 November in order to keep their accounts active.
This move was not due to a breach or a vulnerability, it says, but a precautionary move that will hopefully urge the users to “review their security settings and move to “best practices” on their machines.”
“Some of our contributors may have had accounts on compromised high profile Linux sites recently, and we want to make sure no SSH private keys or passwords used in Fedora Infrastructure were obtained via those incidents,” it explained, and set new rules for choosing passwords: at least 9 characters long if lower and upper case letters, digits and punctuation marks are used and no less than 20 characters if only lower case letters are chosen.