Closed
Bug 1257645
Opened 8 years ago
Closed 8 years ago
Take git.mozilla.org offline until impact of CVE-2016-2324 and CVE-2016-2315 are understood
Categories
(Developer Services :: Git, defect)
Developer Services
Git
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: hwine, Assigned: fubar)
Details
No description provided.
Updated•8 years ago
|
Summary: Take git.mozilla.org offline until impact of ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315 are understood → Take git.mozilla.org offline until impact of CVE-2016-2324 and CVE‑2016‑2315 are understood
Assignee | ||
Comment 1•8 years ago
|
||
git.mozilla.org HTTPS and SSH access have been re-instated. HTTP is currently off, pending a change to automatically redirect to HTTPS (eta monday)
Assignee: nobody → klibby
Reporter | ||
Comment 2•8 years ago
|
||
git.mozilla.org has been upgraded to git 2.7.4, which contains the security patches for these CVE's. All existing repositories have been quick scanned for any signs of the attack, and none were found. We are re-enabling HTTPS access and SSH (push) access. For the moment, we are leaving HTTP disabled to avoid MITM delivery of a compromised payload (an unlikely, but theoretically possible, attack). If lack of HTTP access impacts your usage, please switch your automation to use HTTPS. If you can't do that, please open a new ticket explaining your need for HTTP access. Thanks to everyone for their patience.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•8 years ago
|
||
HTTP now redirects to HTTPS; additionally HSTS headers have been added.
Updated•8 years ago
|
Summary: Take git.mozilla.org offline until impact of CVE-2016-2324 and CVE‑2016‑2315 are understood → Take git.mozilla.org offline until impact of CVE-2016-2324 and CVE-2016-2315 are understood
You need to log in
before you can comment on or make changes to this bug.
Description
•