Fedora "Issue" Revealed: Haxored!

The mysterious "issue" with the Fedora Project's "infrastructure systems" has finally been revealed: an unidentified number of the project's servers were "illegally accessed" — hacked — along with an unidentified number of servers servicing Red Hat Enterprise Linux.

Breaking News first reported last week that Paul Frields, Fedora Project Leader, had issued a vague and somewhat shadowy advisory regarding an "issue" with the project's "infrastructure systems." The notice, sent to the project's fedora-announce-list reported that the issue would likely cause system outages, and strongly recommended that users not update their systems or download any new Fedora-signed packages until the issue was resolved. Few details of the "issue" were released, and little information on the recovery team's progress was forthcoming, beyond equally vague progress reports.

The "issue" was finally disclosed Friday morning in a lengthy posting from Frields to the same mailing list. The "Infrastructure report" revealed that "some Fedora servers" were breached, though it was claimed that the intrusion was "quickly discovered" resulting in the server outage. According to Frields, the project's infrastructure team immediately began analyzing and repairing the damage, as well as performing system upgrades where necessary, a task that remains underway.

It was also disclosed that one of the breached systems was a server utilized in package-signing, leading to the warning against updating or downloading new packages. Though the team has "high confidence" that the package-signing key's passphrase was not obtained, the project has decided to convert to new keys, a process which may require affirmative steps by all Fedora users. Frields pledged that any necessary steps would be "widely and clearly" communicated to users. The report noted that the team has carefully analyzed the project's package collection and could find no evidence of any "loss of package integrity," leading them to rescind the advisory against downloading and updating packages — which Frields described as "based on an abundance of caution."

The report also disclosed that Red Hat experienced a similar breach, noting that Red Hat, Inc. has advised that Red Hat Enterprise Linux users who utilize the Red Hat Network are not at risk, but those who utilize packages obtained from unofficial sources shoudl exercise additional caution. Frields stressed that the effects of the two intrusions were not the same, and that the keys used to sign Fedora packages are different from those used for RHEL packages, as well as from the keys used to sign Extra Packages for Enterprise Linux.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions