Infrastructure status, 2008-08-19 UTC 0200

Roger Grosswiler roger at gwch.net
Sat Aug 23 14:16:55 UTC 2008


Am Sat, 23 Aug 2008 00:38:15 +0200
schrieb Björn Persson <bjorn at xn--rombobjrn-67a.se>:

> Anne Wilson wrote:
> > On Friday 22 August 2008 17:48:22 Tom Killian wrote:
> > > >One of the compromised Fedora servers was a system used for
> > > >signing Fedora packages. However, based on our efforts, we have
> > > >high confidence that the intruder was not able to capture the
> > > >passphrase used to secure the Fedora package signing key. Based
> > > >on our review to date, the passphrase was not used during the
> > > >time of the intrusion on the system and the passphrase is not
> > > >stored on any of the Fedora servers.
> > >
> > > Hmm, sounds like the passphrase is safe, but the
> > > passphrase-encrypted private key is in the hands of the bad guys,
> > > a good reason to revoke the key.
> >
> > That is not at all what was said.  The 'bad guy' intruded into the
> > system. At no time did he use the passphrase - as has been
> > verified.  I can think of no reason for him not to do so if he had
> > got the private key.  The FUD on this list is unbelievable.
> 
> Tom is right. What the announcement says is that we must assume that
> the intruder has the key but he probably can't use it. The key is
> encrypted with a passphrase and the intruder had no way of finding
> out the passphrase. The key therefore needs to be changed but there's
> no need to panic.
> 
> Björn Persson

ok, but is it also on fedora, with openssh-issue? Or how could we now
find out, if our systems are compromised too?

Roger




More information about the fedora-list mailing list