Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FossHub hacked: Is Jabref also affected? #1670

Closed
AEgit opened this issue Aug 3, 2016 · 4 comments
Closed

FossHub hacked: Is Jabref also affected? #1670

AEgit opened this issue Aug 3, 2016 · 4 comments
Labels
build-system
Milestone
v3.6

Comments

@AEgit
Copy link

AEgit commented Aug 3, 2016

FossHub has been hacked, see:

https://www.reddit.com/r/pcmasterrace/comments/4vw21h/massive_psa_do_not_download_classic_shell_read/

and

http://www.heise.de/newsticker/meldung/FossHub-kompromittiert-Software-Installer-mit-Malware-infiziert-3286347.html
(German only)

The software installer has been infected with a Malware that overwrites the boot loader.

As Jabref ist offered on FossHub as well, I was just wondering, whether the offered .exe files were affected as well or not?
@matthiasgeiger
Copy link
Member

matthiasgeiger commented Aug 3, 2016
edited
Loading

Thanks for informing us about this issue.

The files that are the moment distributed by fosshub don't seem to be affected.

The Signatures shown at fosshub are the right ones and the files hosted there still have the same checksum:

 JabRef Windows Installer (64 bit) - 25.13 MB | version: 3.5
MD5: fdf4fa0e33019b2882c39e2066c65fb5
SHA1: 8709f73a4204b882fec7ef6b9877774708a13f8d
SHA256: 9438a6762db4e4504793d5a1dd05a18f7772fbe0d77c06eaeb83e4b80bd5922c

JabRef Platform independent runnable JAR - 23.83 MB | version: 3.5
MD5: c63caa885622c9057c6e926ffc0ed132
SHA1: e6892ad307947429311db8db452b607ce3e2b0af
SHA256: b5a9148008005f7ba081614693275d6b9226875286e99cda47d2648c583708a7 

JabRef Mac OS X - 24.46 MB | version: 3.5
MD5: ffd9845d1d3769324ec371e6cd515957
SHA1: da1fcdebcc70658fe0ecd7827e2a8f88855392b5
SHA256: fea9b90668c94c31e18c0a6593adacb84e1247aa4f937ddeb8719deb2a900e4c 

JabRef Windows Installer (32 bit) - 25.04 MB | version: 3.5
MD5: a3765d5568b88bdb9197725f04d7a15e
SHA1: 0d7593fbca6dbb8270ca9fc2674159a3477be9c0
SHA256: 1f891a7c539844594fb50aab073db1d8c5d55a9d52fbcf669546f82d82da1469

So - as far as I can tell ATM the JabRef installers should do no harm. Nevertheless we'll link to other trustworthy download sources until the situation at fosshub.com has been investigated and fixed.

Edit: Download link @jabref.org has been adjusted - you can download JabRef from:

@AEgit
Copy link
Author

AEgit commented Aug 3, 2016

Glad to hear I was of any help!

@stefan-kolb
Copy link
Member

We will introduce code signing before switching back to Fosshub.

@koppor koppor mentioned this issue Aug 18, 2016
Closed
@koppor koppor added this to the v3.6 milestone Aug 18, 2016
@koppor
Copy link
Member

koppor commented Aug 23, 2016

We ordered a OSS certificate at certum, due to some order processing issues, the certificate won't make it in 3.6. Nevertheless, FossHub is up and running with new security and can be reused for download hosting again.

@koppor koppor closed this as completed Aug 23, 2016
@koppor koppor mentioned this issue Oct 9, 2016
Merged
@rolandog rolandog mentioned this issue Apr 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build-system
Projects
None yet
Milestone
v3.6
Development

No branches or pull requests
4 participants
@matthiasgeiger @koppor @stefan-kolb @AEgit