FSF Patches Two-Year-Old Vulnerability Found by AI Researchers in GNU Savannah Repository (fsf.org)
(Saturday June 20, 2026 @11:34AM (EditorDavid)
from the sharing-the-software dept.)
- Reference: 0184004202
- News link: https://news.slashdot.org/story/26/06/20/0321205/fsf-patches-two-year-old-vulnerability-found-by-ai-researchers-in-gnu-savannah-repository
- Source link: https://www.fsf.org/news/statement-regarding-gnu-savannah-security-reports
The Free Software Foundation's GNU Savannah hosts thousands of free software projects — both GNU and non-GNU projects, including Drupal.
But in early May, security researchers from [1]Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to [2]a new statement Friday from the FSF :
> We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.
>
> Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.
>
> We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.
Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
[1] https://hacktron.ai/
[2] https://www.fsf.org/news/statement-regarding-gnu-savannah-security-reports
But in early May, security researchers from [1]Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to [2]a new statement Friday from the FSF :
> We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.
>
> Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.
>
> We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.
Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
[1] https://hacktron.ai/
[2] https://www.fsf.org/news/statement-regarding-gnu-savannah-security-reports
Doesn't surprise me it took this long... (Score:2)
Savannah likes to advertise its thousands of projects and call itself an incubator. I have a small open source project I wanted to move off of Github a couple years ago, and the pain I went through to try and get hosting there was immeasurable. The arrogance they displayed, like they were God's gift to hosting. And the "advertising" requirements they had. Not just the project licensing, which I can understand them wanting to be GPL and which I had no problems with. But the wording in the documentation,