Fedora "Issue" Revealed: Haxored!
The mysterious "issue" with the Fedora Project's "infrastructure systems" has finally been revealed: an unidentified number of the project's servers were "illegally accessed" — hacked — along with an unidentified number of servers servicing Red Hat Enterprise Linux.
Breaking News first reported last week that Paul Frields, Fedora Project Leader, had issued a vague and somewhat shadowy advisory regarding an "issue" with the project's "infrastructure systems." The notice, sent to the project's fedora-announce-list reported that the issue would likely cause system outages, and strongly recommended that users not update their systems or download any new Fedora-signed packages until the issue was resolved. Few details of the "issue" were released, and little information on the recovery team's progress was forthcoming, beyond equally vague progress reports.
The "issue" was finally disclosed Friday morning in a lengthy posting from Frields to the same mailing list. The "Infrastructure report" revealed that "some Fedora servers" were breached, though it was claimed that the intrusion was "quickly discovered" resulting in the server outage. According to Frields, the project's infrastructure team immediately began analyzing and repairing the damage, as well as performing system upgrades where necessary, a task that remains underway.
It was also disclosed that one of the breached systems was a server utilized in package-signing, leading to the warning against updating or downloading new packages. Though the team has "high confidence" that the package-signing key's passphrase was not obtained, the project has decided to convert to new keys, a process which may require affirmative steps by all Fedora users. Frields pledged that any necessary steps would be "widely and clearly" communicated to users. The report noted that the team has carefully analyzed the project's package collection and could find no evidence of any "loss of package integrity," leading them to rescind the advisory against downloading and updating packages — which Frields described as "based on an abundance of caution."
The report also disclosed that Red Hat experienced a similar breach, noting that Red Hat, Inc. has advised that Red Hat Enterprise Linux users who utilize the Red Hat Network are not at risk, but those who utilize packages obtained from unofficial sources shoudl exercise additional caution. Frields stressed that the effects of the two intrusions were not the same, and that the keys used to sign Fedora packages are different from those used for RHEL packages, as well as from the keys used to sign Extra Packages for Enterprise Linux.
Justin Ryan is a Contributing Editor for Linux Journal.
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
|Concerning Containers' Connections: on Docker Networking||Aug 26, 2015|
|My Network Go-Bag||Aug 24, 2015|
|Doing Astronomy with Python||Aug 19, 2015|
- Optimization in GCC
- Using tshark to Watch and Inspect Network Traffic
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- A Project to Guarantee Better Security for Open-Source Projects
- Where's That Pesky Hidden Word?
- Firefox Security Exploit Targets Linux Users and Web Developers
- My Network Go-Bag
- Doing Astronomy with Python
- Build a “Virtual SuperComputer” with Process Virtualization