Fedora servers compromised =(

August 22, 2008

I received this email today:

From: "Paul W. Frields" <stickster@gmail.com>
To: fedora-announce-list <fedora-announce-list@redhat.com>
Subject: Infrastructure report, 2008-08-22 UTC 1200

Last week we discovered that some Fedora servers were illegally
accessed. The intrusion into the servers was quickly discovered,
and the servers were taken offline.

Security specialists and administrators have been working since
then to analyze the intrusion and the extent of the compromise
as well as reinstall Fedora systems. We are using the requisite
outages as an opportunity to do other upgrades for the sake of
functionality as well as security. Work is ongoing, so please
be patient. Anyone with pertinent information relating to this
event is asked to contact fedora-legal@redhat.com.

One of the compromised Fedora servers was a system used for
signing Fedora packages. However, based on our efforts, we have
high confidence that the intruder was not able to capture the
passphrase used to secure the Fedora package signing key. Based
on our review to date, the passphrase was not used during the
time of the intrusion on the system and the passphrase is not
stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has
been compromised, because Fedora packages are distributed via
multiple third-party mirrors and repositories, we have decided
to convert to new Fedora signing keys. This may require
affirmative steps from every Fedora system owner or
administrator. We will widely and clearly communicate any such
steps to help users when available.

Among our other analyses, we have also done numerous checks of
the Fedora package collection, and a significant amount of
source verification as well, and have found no discrepancies
that would indicate any loss of package integrity. These
efforts have also not resulted in the discovery of additional
security vulnerabilities in packages provided by Fedora.

Our previous warnings against further package updates were based
on an abundance of caution, out of respect for our users. This is
also why we are proceeding with plans to change the Fedora package
signing key. We have already started planning and implementing other
additional safeguards for the future. At this time we are confident
there is little risk to Fedora users who wish to install or upgrade
signed Fedora packages.

In connection with these events, Red Hat, Inc. detected an intrusion
of certain of its computer systems and has issued a communication to
Red Hat Enterprise Linux users which can be found at
http://rhn.redhat.com/errata/RHSA-2008-0855.html. This communication
states in part, "Last week Red Hat detected an intrusion on certain
of its computer systems and took immediate action. While the
investigation into the intrusion is on-going, our initial focus was
to review and test the distribution channel we use with our customers,
Red Hat Network (RHN) and its associated security measures. Based on
these efforts, we remain highly confident that our systems and
processes prevented the intrusion from compromising RHN or the
content distributed via RHN and accordingly believe that customers who
keep their systems updated using Red Hat Network are not at risk. We
are issuing this alert primarily for those who may obtain Red Hat
binary packages via channels other than those of official Red Hat
subscribers."

It is important to note that the effects of the intrusion on Fedora
and Red Hat are *not* the same. Accordingly, the Fedora package
signing key is not connected to, and is different from, the one used
to sign Red Hat Enterprise Linux packages. Furthermore, the Fedora
package signing key is also not connected to, and is different from,
the one used to sign community Extra Packages for Enterprise Linux
(EPEL) packages.

We will continue to keep the Fedora community notified of any
updates.

Thank you again for your patience.