PHP git source repo compromise!

eva2000 · Mar 29, 2021

Seems the official PHP git source repo server might have been compromised with unauthorized commits php.internals: Changes to Git commit workflow. They are now switching away from their own Git server and using Github mirror as the official Git repo at php/php-src

Hi everyone,

Yesterday (2021-03-28) two malicious commits were pushed to the php-src
repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how
exactly this happened, but everything points towards a compromise of the
git.php.net server (rather than a compromise of an individual git account).

While investigation is still underway, we have decided that maintaining our
own git infrastructure is an unnecessary security risk, and that we will
discontinue the git.php.net server. Instead, the repositories on GitHub,
which were previously only mirrors, will become canonical. This means that
changes should be pushed directly to GitHub rather than to git.php.net.

While previously write access to repositories was handled through our
home-grown karma system, you will now need to be part of the php
organization on GitHub. If you are not part of the organization yet, or
don't have access to a repository you should have access to, contact me at
nikic@php.net with your php.net and GitHub account names, as well as the
permissions you're currently missing. Membership in the organization
requires 2FA to be enabled.

This change also means that it is now possible to merge pull requests
directly from the GitHub web interface.

We're reviewing the repositories for any corruption beyond the two
referenced commits. Please contact security@php.net if you notice anything.

Regards,
Nikita

[1]:
[skip-ci] Fix typo · php/php-src@c730aa2
and
Revert "Revert "[skip-ci] Fix typo"" · php/php-src@2b0f239
Click to expand...

buik · Mar 30, 2021

Fortunately, no commits have been made in specific release branches, but in the master.

Relatively harmless. Nice to see that the PHP team took immediate action!

eva2000 · Mar 30, 2021

buik said: ↑

Fortunately, no commits have been made in specific release branches, but in the master.
Click to expand...

Indeed lucky! Happy to see them move to using Github repo as official version

Log in / Register

Forums

Discover Centmin Mod today

PHP git source repo compromise!

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

PHP git source repo compromise!

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.