Infrastructure report, 2008-08-22 UTC 1200

David Both david at both.org
Fri Aug 22 13:09:05 UTC 2008 

Any information on the attack vector?

Paul W. Frields wrote:
> Last week we discovered that some Fedora servers were illegally
> accessed. The intrusion into the servers was quickly discovered, and the
> servers were taken offline.
>
> Security specialists and administrators have been working since then to
> analyze the intrusion and the extent of the compromise as well as
> reinstall Fedora systems. We are using the requisite outages as an
> opportunity to do other upgrades for the sake of functionality as well
> as security. Work is ongoing, so please be patient. Anyone with
> pertinent information relating to this event is asked to contact
> fedora-legal at redhat.com.
>
> One of the compromised Fedora servers was a system used for signing
> Fedora packages. However, based on our efforts, we have high confidence
> that the intruder was not able to capture the passphrase used to secure
> the Fedora package signing key. Based on our review to date, the
> passphrase was not used during the time of the intrusion on the system
> and the passphrase is not stored on any of the Fedora servers.
>
> While there is no definitive evidence that the Fedora key has been
> compromised, because Fedora packages are distributed via multiple
> third-party mirrors and repositories, we have decided to convert to new
> Fedora signing keys. This may require affirmative steps from every
> Fedora system owner or administrator. We will widely and clearly
> communicate any such steps to help users when available.
>
> Among our other analyses, we have also done numerous checks of the
> Fedora package collection, and a significant amount of source
> verification as well, and have found no discrepancies that would
> indicate any loss of package integrity. These efforts have also not
> resulted in the discovery of additional security vulnerabilities in
> packages provided by Fedora.
>
> Our previous warnings against further package updates were based on an
> abundance of caution, out of respect for our users. This is also why we
> are proceeding with plans to change the Fedora package signing key. We
> have already started planning and implementing other additional
> safeguards for the future. At this time we are confident there is little
> risk to Fedora users who wish to install or upgrade signed Fedora
> packages.
>
> In connection with these events, Red Hat, Inc. detected an intrusion of
> certain of its computer systems and has issued a communication to Red
> Hat Enterprise Linux users which can be found at
> http://rhn.redhat.com/errata/RHSA-2008-0855.html. This communication
> states in part, "Last week Red Hat detected an intrusion on certain of
> its computer systems and took immediate action. While the investigation
> into the intrusion is on-going, our initial focus was to review and test
> the distribution channel we use with our customers, Red Hat Network
> (RHN) and its associated security measures. Based on these efforts, we
> remain highly confident that our systems and processes prevented the
> intrusion from compromising RHN or the content distributed via RHN and
> accordingly believe that customers who keep their systems updated using
> Red Hat Network are not at risk. We are issuing this alert primarily for
> those who may obtain Red Hat binary packages via channels other than
> those of official Red Hat subscribers."
>
> It is important to note that the effects of the intrusion on Fedora and
> Red Hat are *not* the same. Accordingly, the Fedora package signing key
> is not connected to, and is different from, the one used to sign Red Hat
> Enterprise Linux packages. Furthermore, the Fedora package signing key
> is also not connected to, and is different from, the one used to sign
> community Extra Packages for Enterprise Linux (EPEL) packages.
>
> We will continue to keep the Fedora community notified of any updates.
>
> Thank you again for your patience.
>
>
>   

-- 

*********************************************************
"I'd put my money on the sun and solar energy. What a source of power! I hope we don't have to wait until oil and coal run out before we tackle that."
 - Thomas Edison, in conversation with Henry Ford and Harvey Firestone, 1931

*********************************************************
David P. Both

More information about the fedora-list mailing list