Our sysadmins decided to preventively shut down most of our web services which were still running on end-of-life Mageia versions, as their potential vulnerability to remote attacks was publicised in third party communities.
The migration of those services to Mageia 5 servers was planned but delayed due to a lack of sysadmin time to work on it. The unexpected publicity that it received obviously made this topic a high priority one, our infrastructure being exposed as an easy target. The sysadmins therefore decided to shut down the services to be able to work on the migration without further risks.
Please note that our buildsystems for packages and ISO images are running the latest stable release, and therefore Mageia users need (as far as we know at this stage) not be concerned. The potential risks should be confined to web services of the mageia.org domain – we are nevertheless auditing all servers for traces of intrusion which could have been facilitated by the outdated infrastructure.
We are sorry for the disagreement and this security negligence, and will keep you posted with our progress on this issue and the verification of the services.
- Homepage (www): online
- Blog: online
- Identity: online
- Bugzilla (bugs): online
- Mailing list (ml): online
- Wiki: online
- Forums: offline
- Mirrors index and MIRRORLIST (mirrors): online
- Git / Svn: online
- Gitweb / Svnweb: online
- Buildsystem (pkgsubmit): online
- Mageia App DB (madb): online
Edit Apr 5, 2017 @ 17:45: Added more details about services being down and the security risks.
Edit Apr 5, 2017 @ 20:45: Instructions to add a specific mirror manually for MIRRORLIST users.
Edit Apr 6, 2017 @ 8:00: Web services had been mistakenly put back online automatically during the night, they are now back offline as necessary.
Edit Apr 8, 2017 @ 1:00: Bugzilla and MIRRORLIST are functional again. Bugzilla was also updated to the latest 5.0.3+ upstream version.
Edit Apr 9, 2017 @ 0:15: Identity is back online.
Edit Apr 20, 2017 @ 15:00: Wiki is back online. Gitweb and Svnweb were also restored in the past week, and the mailing list software will be back soon.