Fedora "Issue" Revealed: Haxored!

The mysterious "issue" with the Fedora Project's "infrastructure systems" has finally been revealed: an unidentified number of the project's servers were "illegally accessed" — hacked — along with an unidentified number of servers servicing Red Hat Enterprise Linux.

Breaking News first reported last week that Paul Frields, Fedora Project Leader, had issued a vague and somewhat shadowy advisory regarding an "issue" with the project's "infrastructure systems." The notice, sent to the project's fedora-announce-list reported that the issue would likely cause system outages, and strongly recommended that users not update their systems or download any new Fedora-signed packages until the issue was resolved. Few details of the "issue" were released, and little information on the recovery team's progress was forthcoming, beyond equally vague progress reports.

The "issue" was finally disclosed Friday morning in a lengthy posting from Frields to the same mailing list. The "Infrastructure report" revealed that "some Fedora servers" were breached, though it was claimed that the intrusion was "quickly discovered" resulting in the server outage. According to Frields, the project's infrastructure team immediately began analyzing and repairing the damage, as well as performing system upgrades where necessary, a task that remains underway.

It was also disclosed that one of the breached systems was a server utilized in package-signing, leading to the warning against updating or downloading new packages. Though the team has "high confidence" that the package-signing key's passphrase was not obtained, the project has decided to convert to new keys, a process which may require affirmative steps by all Fedora users. Frields pledged that any necessary steps would be "widely and clearly" communicated to users. The report noted that the team has carefully analyzed the project's package collection and could find no evidence of any "loss of package integrity," leading them to rescind the advisory against downloading and updating packages — which Frields described as "based on an abundance of caution."

The report also disclosed that Red Hat experienced a similar breach, noting that Red Hat, Inc. has advised that Red Hat Enterprise Linux users who utilize the Red Hat Network are not at risk, but those who utilize packages obtained from unofficial sources shoudl exercise additional caution. Frields stressed that the effects of the two intrusions were not the same, and that the keys used to sign Fedora packages are different from those used for RHEL packages, as well as from the keys used to sign Extra Packages for Enterprise Linux.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix