The Savannah GNU free software archive has been attacked with encrypted passwords stolen that enabled the attackers to access restricted project material.
The hackers used a SQL injection attack against the savannah.gnu.org site which has bought the operation to its knees. The site is still offline and a notice says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources.
However it is still in the middle of adjusting its security settings to prevent further attacks. Some of the passwords were discovered by brute-force attack, leading in turn to project membership access, the site said. The site has been rolled back to November 23 when all was working.
“While effort was made in the past to fix injection vulnerabilities in the Savane2 legacy codebase, it appears this was not enough," the group said in its notice.
So far only one project appears to have been affected by the compromise.