Re: Savannah, SQL Injection, Passwords, and Security Posture

[Simon Josefsson]

Jeffrey Walton <address@hidden> writes:

> Hi All,
>
> According to http://savannah.gnu.org/, the server was down for a few
> days due to a SQL Injection. Because the server did not properly
> sanitize its data, the password database was compromised.
>
> Today, I tried to change my  password to a similar password.
> Surprisingly, the change was rejected because the password was too
> similar. The "surprising" part is it appears GNU is storing passwords
> in plain text.
>
> I'm going out on the limb and guessing that free software stored the
> passwords in the plain text. "Password Security: A Case History" by
> Morris and Thompson was written in the 1970s. Sadly, GNU has totally
> punned lessons learned in the past.

If you join the Savannah project, I'm sure they could use your help.  I
know that they need more manpower.

> The GnuTLS project happily uses dangerous string function. Use of the
> functions appears unaudited, suffering unchecked buffer overflows and
> truncations. In fact, the project took a buffer overflow report today
> due to a call to sprintf. Sadly, GNU has totally punned lessons
> learned in the past (again).

Again, without volunteers to do the work, it won't improve.

> Would someone be able to provide GNU's policy regarding application
> security and proper use of cryptography in GNU projects. "GNU Coding
> Standards" (http://www.gnu.org/prep/standards/standards.html) does not
> address anything security related. I'm very interested in learning
> about GNU's security posture.

To improve the document, you can send contributions to
address@hidden

/Simon