Fedora "Issue" Revealed: Haxored!
The mysterious "issue" with the Fedora Project's "infrastructure systems" has finally been revealed: an unidentified number of the project's servers were "illegally accessed" — hacked — along with an unidentified number of servers servicing Red Hat Enterprise Linux.
Breaking News first reported last week that Paul Frields, Fedora Project Leader, had issued a vague and somewhat shadowy advisory regarding an "issue" with the project's "infrastructure systems." The notice, sent to the project's fedora-announce-list reported that the issue would likely cause system outages, and strongly recommended that users not update their systems or download any new Fedora-signed packages until the issue was resolved. Few details of the "issue" were released, and little information on the recovery team's progress was forthcoming, beyond equally vague progress reports.
The "issue" was finally disclosed Friday morning in a lengthy posting from Frields to the same mailing list. The "Infrastructure report" revealed that "some Fedora servers" were breached, though it was claimed that the intrusion was "quickly discovered" resulting in the server outage. According to Frields, the project's infrastructure team immediately began analyzing and repairing the damage, as well as performing system upgrades where necessary, a task that remains underway.
It was also disclosed that one of the breached systems was a server utilized in package-signing, leading to the warning against updating or downloading new packages. Though the team has "high confidence" that the package-signing key's passphrase was not obtained, the project has decided to convert to new keys, a process which may require affirmative steps by all Fedora users. Frields pledged that any necessary steps would be "widely and clearly" communicated to users. The report noted that the team has carefully analyzed the project's package collection and could find no evidence of any "loss of package integrity," leading them to rescind the advisory against downloading and updating packages — which Frields described as "based on an abundance of caution."
The report also disclosed that Red Hat experienced a similar breach, noting that Red Hat, Inc. has advised that Red Hat Enterprise Linux users who utilize the Red Hat Network are not at risk, but those who utilize packages obtained from unofficial sources shoudl exercise additional caution. Frields stressed that the effects of the two intrusions were not the same, and that the keys used to sign Fedora packages are different from those used for RHEL packages, as well as from the keys used to sign Extra Packages for Enterprise Linux.
Justin Ryan is a Contributing Editor for Linux Journal.
|PostgreSQL, the NoSQL Database||Jan 29, 2015|
|HPC Cluster Grant Accepting Applications!||Jan 28, 2015|
|Sharing Admin Privileges for Many Hosts Securely||Jan 28, 2015|
|Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform||Jan 23, 2015|
|Designing with Linux||Jan 22, 2015|
|Wondershaper—QOS in a Pinch||Jan 21, 2015|
- PostgreSQL, the NoSQL Database
- Sharing Admin Privileges for Many Hosts Securely
- Designing with Linux
- HPC Cluster Grant Accepting Applications!
- Wondershaper—QOS in a Pinch
- January 2015 Issue of Linux Journal: Security
- Internet of Things Blows Away CES, and it May Be Hunting for YOU Next
- Ideal Backups with zbackup
- Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform
- Hats Off to Mozilla
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane