Red Hat, Fedora Servers Compromised

← Back to Stories (view on slashdot.org)

Red Hat, Fedora Servers Compromised

Posted by kdawson on Friday August 22, 2008 @02:04AM from the quick-action dept.

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

7 of 278 comments (clear)

Min score:

Reason:

Sort:

Do they run linux? by mulvane · 2008-08-22 02:06 · Score: 5, Funny

They should have ran a secure OS like vista.
1. Re:Do they run linux? by GXTi · 2008-08-22 02:18 · Score: 5, Funny
  
  Don't worry, whatever this "linux" thing is, it can't possibly run without an Operating System to support it, e.g. Microsoft Windows®. All applications require an Operating System to run, including "linux".
2. Re:Do they run linux? by initdeep · 2008-08-22 03:32 · Score: 3, Funny
  
  ***Whoosh***
3. Re:Do they run linux? by WeeLad · 2008-08-22 04:48 · Score: 3, Funny
  
  To be fair, sometimes jokes go so far overhead that the whoosh would be imperceptible
  
  --
  Seriously, Don't take anything I say seriously.
Re:Nothing to see here. by Anonymous Coward · 2008-08-22 02:53 · Score: 3, Funny

Yea I guess they don't care that a kernel compromise completely negates any security benefit from SELinux.
Re:roughly 30 kernel 0dayz circulating by sdsucks · 2008-08-22 04:37 · Score: 3, Funny

Nice. I just compiled 2.6.27-rc4 on my notebook so I guess I'm safe for now. ;)
Re:Nothing to see here. by darkpixel2k · 2008-08-22 09:26 · Score: 3, Funny

Our code signing machine is locked in a cage and powered up only for purposes of code signing. Executables to be signed are written to a previously wiped USB drive which is attached to the signing machine only when packages are to be signed. The signing machine has not been connected to a network since before the keys were generated. The private key only exists on that machine and in a single separately encrypted backup.
Meh!
Well my code signing machine is more secure. We don't put USB sticks directly into the signing machine. We copy the package to a USB stick and then to the 'transfer' machine. The code signing machine is then 'connected' to the transfer machine by infared link which is unblocked by lifting a large steel slab out of the way. The transfer happens via zmodem, and it scanned on both the transfer machine and the code signing machine. Finally we sign the package and transfer it back just before the poor intern's strength gives out and the steel slab slams back down, killing the connection and the intern...(just in case he saw me type in the 42-character passphrase to the private key).

Beat that security...

--
There's no place like ::1 (I've completed my transition to IPv6)