Web services shut down preventively

Our sysadmins decided to preventively shut down most of our web services which were still running on end-of-life Mageia versions, as their potential vulnerability to remote attacks was publicised in third party communities.

The migration of those services to Mageia 5 servers was planned but delayed due to a lack of sysadmin time to work on it. The unexpected publicity that it received obviously made this topic a high priority one, our infrastructure being exposed as an easy target. The sysadmins therefore decided to shut down the services to be able to work on the migration without further risks.

Please note that our buildsystems for packages and ISO images are running the latest stable release, and therefore Mageia users need (as far as we know at this stage) not be concerned. The potential risks should be confined to web services of the mageia.org domain – we are nevertheless auditing all servers for traces of intrusion which could have been facilitated by the outdated infrastructure.

We are sorry for the disagreement and this security negligence, and will keep you posted with our progress on this issue and the verification of the services.

Current status:

  • Homepage (www): online
  • Blog: online
  • Identity: online
  • Bugzilla (bugs): online
  • Mailing list (ml): online
  • Wiki: online
  • Forums: online
  • Mirrors index and MIRRORLIST (mirrors): online
  • Git / Svn: online
  • Gitweb / Svnweb: online
  • Buildsystem (pkgsubmit): online
  • Mageia App DB (madb): online

Edit Apr 5, 2017 @ 17:45: Added more details about services being down and the security risks.

Edit Apr 5, 2017 @ 20:45: Instructions to add a specific mirror manually for MIRRORLIST users.

Edit Apr 6, 2017 @ 8:00: Web services had been mistakenly put back online automatically during the night, they are now back offline as necessary.

Edit Apr 8, 2017 @ 1:00: Bugzilla and MIRRORLIST are functional again. Bugzilla was also updated to the latest 5.0.3+ upstream version.

Edit Apr 9, 2017 @ 0:15: Identity is back online.

Edit Apr 20, 2017 @ 15:00: Wiki is back online. Gitweb and Svnweb were also restored in the past week, and the mailing list software will be back soon.

Edit May 26, 2017 @ 21:00: As of now all services are back online! Thanks to our sysadmins for their precious time! 🙂

This entry was posted in Mageia, security, sysadmin. Bookmark the permalink.

Curious about Mageia? Download it, give it a try and tell us how you feel about it.

Want to bring something to it? Learn how you can contribute and donate.

35 Responses to Web services shut down preventively

  1. Pingback: Вимкнено інтернет-служби для запобігання зламу | Mageia Blog (Україна)

  2. isadora says:

    Which also means that the forum is down now!!!

  3. Pingback: Services web mis hors-ligne de façon préventive | Mageia Blog (Français)

  4. Pingback: Website preventief offline gehaald | Mageia Blog (Nederlands)

  5. Pingback: Webdienste vorsorglich abgeschaltet | Mageia Blog (Deutsch)

  6. lumpinator says:

    Its a bit of a shame to hear this, BUT at least you are dealing with it now in a transparent and responsible way, this makes up alot!

    I suppose this only affects the mentioned services and has no influence on our installations and this, as you call it, negligence didnt creep into the distro itself.

    As harsh as this comment may sound im still a big supporter of mageia and i appreciate the time you all invest for our benefit into mageia. In that sense: shit happens – lessons learned! Mageia just turned better today 🙂

  7. Robert Wood says:

    Does anyone know how long this will be? I’ve just had a catastrophic hard drive failure and cannot install a large number of my vital apps on the new hard drive.


    • Rémi Verschelde says:

      It might take a few days for all services to be back online. What do you need exactly? You should still be able to access ISO images to download e.g. Mageia 5.1 and install it, as well as update repositories.

      Ah, unless you are using $MIRRORLIST which might be unresponsive now. If so, you can configure your repositories to use a specific mirror instead of the $MIRRORLIST: in the MCC, pick “Configure sources to install and update software”, remove all existing media, and then do File > Add a specific media mirror and pick one in your region of the world.

      • Robert Wood says:

        Hi chaps,

        Many thanks for the reply.

        When I try File | Add a specific mirror within Media manager it tells me:

        retrieval of [/var/cache/urpmi/basic.6.x86_64.list?product=Default] failed.

        The network, or Mageia website may be down. Ain’t that the case! 😀

        Is there a way to get round this I’m unaware of?

        • Rémi Verschelde says:

          Ah good point, since mirrors.mageia.org is down, not only the so-called $MIRRORLIST but also the API to retrieve the list of specific mirrors is broken.

          You’ll have to add one manually then. This address should give you a list of suitable mirrors, you can pick one of them: https://www.mageia.org/mirrorlist/?release=6&arch=x86_64&section=core&repo=updates

          Then do in a terminal:

          # urpmi.removemedia -a
          # urpmi.addmedia --distrib http://ftp-stud.hs-esslingen.de/pub/Mirrors/Mageia/distrib/6/x86_64

          The mirror URL should be up to the /x86_64 (or /i586) part.

      • Robert Wood says:

        Hmmm, I should add that I have installed Mageia 6 from my previously created DVD. There are apps such as kicad, Qt Creator that I need for my job. The system went down as I was routing a PCB on kicad in fact!

        Are you saying that I should install Mageia 5 instead?

        • Rémi Verschelde says:

          No it’s fine to use Mageia 6 if it works for you (it should, it’s getting very stable now).

          • Robert Wood says:

            Cauldron has been working fairly well on the whole and has much more recent version of glibc and kicad which are both very useful. However, I am at a complete loss as to how to add these repositories.

            • Its the urpmi.addmedia command that Remi was talking about.

              # urpmi.removemedia -a
              # urpmi.addmedia –distrib http://ftp-stud.hs-esslingen.de/pub/Mirrors/Mageia/distrib/6/x86_64

              This will remove all the repos you have right now, then add the mirror at Esslingen Hoch Schule directly.

              Its a pretty good and fast mirror too

            • Robert Wood says:

              Sorry, I’d missed your comments above. However, I still am having no luck. Sorry to be a pest 🙁

              I assume you meant I needed to Add a custom mirror, which I did from the list you gave me.

              I left MCC and did this:

              [root@localhost etc]# urpmi.removemedia -aremoving medium “Main”
              removing medium “ftp”
              [root@localhost etc]# urpmi.addmedia –distrib http://ftp-stud.hs-esslingen.de/pub/Mirrors/Mageia/distrib/6/x86_64
              adding medium “âdistrib”
              …retrieving failed: curl failed: exited with 22

              no metadata found for medium “âdistrib”
              [root@localhost etc]#

              Am I doing something wrong? Or are there other problems with these mirrors?

              • Rémi Verschelde says:

                Ah my bad, the blog engine changed the two dashes to one long dash.

                Here is it again properly formatted:

                # urpmi.removemedia -a
                # urpmi.addmedia --distrib http://ftp-stud.hs-esslingen.de/pub/Mirrors/Mageia/distrib/6/x86_64

    • This shouldn’t have any impact on install and updating a system, as noted the build system is not shutdown.

      I assume that you are missing the mirror for the update, you can get around this by using a set mirror, and adding it using the instead of the automatic selected mirror.

    • As a side not to this, the urpmi.addmedia command is rather useful if you want to use rsync mirrors or a local repo if you’re into that sort of thing.

      Glad its sorted though

  8. Conan Kudo (ニール・ゴンパ) says:

    Note that if you’re using DNF on Mageia 6 / Cauldron, you’re not affected by the shutdown of web services. The mirror list generator for DNF is part of the main website and continues to function.

  9. Mewgly says:

    How long ?

  10. psyca says:

    Some Mirror URLs you can find in the “Wayback” Machine (Status from December 2016).


    • psyca says:

      (please note that you click on “FTP” or remove the “https://web.archive.org/web/20161121095220/” in the browserfield if you click on an http url, because archive.org adds its own webadress in front of the (server)urls ).

  11. M.Z. says:

    As a Mageia desktop user I’m a bit disappointed that the team wasn’t following better security practices, but the incident brings up some interesting questions. If the Mageia team didn’t like the support length of their own distro on the server, is there an opportunity to gain more traction in that market by reexamining support length? It would be interesting to consider the possible trades offs involved in changing the Mageia support cycle, especially for servers. I think it would be worth examining the question with others who use Mageia in similar capacities, & looking at what sort of support other community projects like Debian receive from those looking for community based server distros. Could a strategic investment in this area help Mageia get more & bigger supporters & yield rewards for server & desktop users alike? Just a few thoughts. Good luck sorting everything out.

  12. Pingback: Weekly roundup 2017 – week 14 | Mageia Blog (English)

  13. Pingback: Wöchentliche Zusammenfassung 2017 – Woche 14 | Mageia Blog (Deutsch)

  14. Pingback: Ronda Semanal 2017 – Semana 14 | Mageia Blog (Español)

  15. Addams Scrub says:

    You can also find ALL mirrors by seeing a cached version of https://mirros.mageia.org

    How can you do that?
    Go on Google, search “mageia mirror list” and on the first search result at the end of the link click the bottom-up triangle and select Cached.

  16. Pingback: Тижневий огляд — 2017, тиждень 14 | Mageia Blog (Україна)

  17. chris says:

    The forum is still down? if your looking for somewhere to host it let me know.

    • Donald Stewart says:

      Hi thanks for the offer, I won’t speak for the sysadmin team as all of that is a little too technical for me, but AFAIK hosting isn’t the issue, it is upgrading the forum software, but it’s the next priority and should be back up soon. If that’s something that you would like to be involved with, the sysadmins are always grateful for any help.

  18. Pingback: Serviços Web encerrados preventivamente | Mageia Blog (Português)

  19. Pingback: Resumo semanal 2017 – semana 14 | Mageia Blog (Português)