Fedora "Issue" Revealed: Haxored!
The mysterious "issue" with the Fedora Project's "infrastructure systems" has finally been revealed: an unidentified number of the project's servers were "illegally accessed" — hacked — along with an unidentified number of servers servicing Red Hat Enterprise Linux.
Breaking News first reported last week that Paul Frields, Fedora Project Leader, had issued a vague and somewhat shadowy advisory regarding an "issue" with the project's "infrastructure systems." The notice, sent to the project's fedora-announce-list reported that the issue would likely cause system outages, and strongly recommended that users not update their systems or download any new Fedora-signed packages until the issue was resolved. Few details of the "issue" were released, and little information on the recovery team's progress was forthcoming, beyond equally vague progress reports.
The "issue" was finally disclosed Friday morning in a lengthy posting from Frields to the same mailing list. The "Infrastructure report" revealed that "some Fedora servers" were breached, though it was claimed that the intrusion was "quickly discovered" resulting in the server outage. According to Frields, the project's infrastructure team immediately began analyzing and repairing the damage, as well as performing system upgrades where necessary, a task that remains underway.
It was also disclosed that one of the breached systems was a server utilized in package-signing, leading to the warning against updating or downloading new packages. Though the team has "high confidence" that the package-signing key's passphrase was not obtained, the project has decided to convert to new keys, a process which may require affirmative steps by all Fedora users. Frields pledged that any necessary steps would be "widely and clearly" communicated to users. The report noted that the team has carefully analyzed the project's package collection and could find no evidence of any "loss of package integrity," leading them to rescind the advisory against downloading and updating packages — which Frields described as "based on an abundance of caution."
The report also disclosed that Red Hat experienced a similar breach, noting that Red Hat, Inc. has advised that Red Hat Enterprise Linux users who utilize the Red Hat Network are not at risk, but those who utilize packages obtained from unofficial sources shoudl exercise additional caution. Frields stressed that the effects of the two intrusions were not the same, and that the keys used to sign Fedora packages are different from those used for RHEL packages, as well as from the keys used to sign Extra Packages for Enterprise Linux.