Red Hat, Fedora Servers Compromised

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

Do they run linux?

[mulvane]

They should have ran a secure OS like vista.

Re:Do they run linux?

[GXTi]

Don't worry, whatever this "linux" thing is, it can't possibly run without an Operating System to support it, e.g. Microsoft Windows®. All applications require an Operating System to run, including "linux".

Re:Do they run linux?

Your both wrong. Linux in general has a much better security record and problems tend to be fixed much quicker aswell (plus microsoft have a history of just denying blatant security holes).

Also linux *IS* an operating system. It does not in any way rely on windows and most certainly does not run *ON* windows. It is completely seperate to windows and will run on computers even if they have never had windows on them.

Re:Do they run linux?

[initdeep]

***Whoosh***

Re:Do they run linux?

[WeeLad]

To be fair, sometimes jokes go so far overhead that the whoosh would be imperceptible

Re:Do they run linux?

[ins0m]

Yeah, but this is as bad as striking out at a tee-ball game.

Re:Do they run linux?

Hey look! Someone's CIO is reading the Slashdot!

damn't

[extirpater]

source code filching! nothing else.

Re:OpenSSH bug?

[3p1ph4ny]

In keeping with the spirit of /., I didn't read TFA.

However, I'd say this is totally unrelated to the Debian bug. The Debian bug was caused as a result of a change a Debian package maintainer made. Since he only made the change for the Debian package and didn't push it back upstream, it's highly unlikely that they are related.

Suuure...

"Just run this shell script to verify you're not infected"

No way I'm falling for that one.

Back to work.

Re:roughly 30 kernel 0dayz circulating

I can confirm that Jesus falcon punched Obama until he gave up the secret 30 government 0-days in the kernel.

Re:Nothing to see here.

Yea I guess they don't care that a kernel compromise completely negates any security benefit from SELinux.

Re:roughly 30 kernel 0dayz circulating

[sdsucks]

Nice. I just compiled 2.6.27-rc4 on my notebook so I guess I'm safe for now. ;)

Re:Nothing to see here.

[darkpixel2k]

Our code signing machine is locked in a cage and powered up only for purposes of code signing. Executables to be signed are written to a previously wiped USB drive which is attached to the signing machine only when packages are to be signed. The signing machine has not been connected to a network since before the keys were generated. The private key only exists on that machine and in a single separately encrypted backup.

Meh!
Well my code signing machine is more secure. We don't put USB sticks directly into the signing machine. We copy the package to a USB stick and then to the 'transfer' machine. The code signing machine is then 'connected' to the transfer machine by infared link which is unblocked by lifting a large steel slab out of the way. The transfer happens via zmodem, and it scanned on both the transfer machine and the code signing machine. Finally we sign the package and transfer it back just before the poor intern's strength gives out and the steel slab slams back down, killing the connection and the intern...(just in case he saw me type in the 42-character passphrase to the private key).

Beat that security...

Re:Nothing to see here.

[Hucko]

I don't network any of my computers.