Fixed
Status Update
No update yet.
Comments
kr...@arm.com
It's not a .git directory but a .svn directory. :) That said, even though Subversion use by the llvm project has been long discontinued, it should still not be exposed, or even better, the directory should be cleaned up.
CC'ing Mike Edwards, who I hope is able to get rid of that directory.
CC'ing Mike Edwards, who I hope is able to get rid of that directory.
ts...@redhat.com
[Empty comment from Monorail migration]
kr...@arm.com
Yes along with .svn i was able to download .git folder too.
I have attached the zip file, you can find the git folder inside it.
I have attached the zip file, you can find the git folder inside it.
ts...@redhat.com
Pulling in Tom Stellard and Tobias Hieta as the LLVM release managers on this issue reported to the LLVM security group.
While .svn or .git directories probably shouldn't be present athttps://releases.llvm.org , I wonder how this is a security issue.
Is some of the information in those directories perhaps not available publicly already?
While .svn or .git directories probably shouldn't be present at
Is some of the information in those directories perhaps not available publicly already?
kr...@arm.com
I don' think there is any problem to have the .git directory exposed. I'm not sure about .svn though. I'm fairly certain we can remove the .svn directory, but not sure about the .git directory. Anton is probably the best person to talk to about this.
is...@google.com
cc-ing in Anton.
Description
One Tue April 2, 2024 at 10:13AM PDT we received an email in the llvmbot@llvm.org email account from github-support saying that the llvmbot account, which we use mainly for project automation, had been suspended due to a suspicious login.
I first noticed there was a problem on Tue April 2, 2024 at 3:54PM PDT when I attempted to login into the account but was denied access. It seems like GitHub forces a password reset when they suspend an account, so my assumption is that I couldn't login due to the suspension, not due to a malicious actor changing the password.
On Wed Apr 3, 2024 at 6:12AM PDT, I was able to regain access to the account. I immediately changed the password, 2FA token, re-downloaded the account recovery codes, and regenerated all the personal acccess tokens associated with the account.
On Wed Apr 3, 2024 at 6:40AM PDT, I filed a ticket with GitHub Support asking for more information about the suspicious login.
I've done an initial review of the llvmbot activity between and it seems normal, but this could probably use a more thorough analysis. I also would like to make a Discourse post before the end of the week alerting the community about what happened.
I'm still not quite sure what a 'suspicious login' means and if someone was actually able to get access to the account or if it just means someone tried to login. I'm hoping to get more information from the GitHub Support ticket.
I will update this ticket as I get more information.