Debian development server broken into
One of the central development servers in the Debian project has been cracked; the culprits have not yet been identified. According to a report on a developer mailing list, the break-in at development server gluck was noticed on Wednesday morning and the server taken offline. A number of services and repositories - such as cvs, ddtp, lintian, people, popcon, planet, ports and release - are therefore no longer available. In addition, access to other machines at Debian.org has also been blocked.
The developers apparently cannot yet say whether code or data were changed; they have yet to respond to a query on this matter by heise Security. At present, the developers are studying how the server was broken into. Rumour has it that a known hole in the Linux kernel (2.6.13 to 22.214.171.124) has been used. This allows a user with limited rights to gain root rights by means of a core dump. An exploit for this hole is already in circulation. This explanation is plausible in the light of the large number of people and developers who have limited access to the servers.
At the end of 2003, a privilege-escalation bug in the kernel also enabled a break-in to a Debian server. Back then, however, most of the software archive was not compromised.
- compromise of gluck.debian.org, lock down of other debian.org machines, report on the Debian mailing list