Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat, Fedora Servers Compromised

Posted by kdawson on from the quick-action dept.

An anonymous reader writes "In an email sent to the fedora-announce mailing list, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. Red Hat has released a security advisory and a script to detect potentially compromised openssh packages."

6 of 278 comments (clear)

  1. Nothing to see here. by Art+Popp · · Score: 5, Insightful

    These are the guys, to the annoyance of nearly everyone, who turned on SELinux on Fedora Core by default.

    These are the guys who noticed they annoyed everyone, and turned on targeted-mode by default.

    Coming from someone with many systems, completely exposed to the Internet, with thousand day uptimes, these RedHat folk are in fact sufficiently paranoid.

    They have taken all the reasonable precautions, and if their passphrase was strong, then the danger of my servers being compromised by meteor strike is a much greater worry.

    1. Re:Nothing to see here. by Chang · · Score: 5, Insightful

      Red Hat needs to offer more info before you can make a solid judgement about this.

      If the attacker gained access to the actual system where signing takes place then Red Hat needs to change the key.

      But from the announcement wording - they are suggesting that the attacker was able to submit packages to be signed but the actual signing server was not compromised.

      They should not have been so vague about this because it is a crucial distinction to make for their customer to make a security judgement.

      As a customer I'm not happy with the vague details on what was compromised. I'm sure they did it because they have concerns about describing their package signing systems in detail but they need to open the kimono and give us the detail we need to make a decision about reloading our systems.

      Merely saying, "trust us - anything that came from the official channel is safe" doesn't fly. You let an attacker gain unauthorized access - you need to re-earn trust at this point by giving us some detailed info.

    2. Re:Nothing to see here. by Timothy+Brownawell · · Score: 5, Insightful

      How well does that work if you can trick someone into loading the wrong package onto that USB key?

  2. Goes to show by BadAnalogyGuy · · Score: 5, Insightful

    Given enough time and energy, even Linux servers can be hacked.

    With the growing interest in Linux, I wonder if we'll see more parity of viruses between Windows and Linux.

    1. Re:Goes to show by Goaway · · Score: 5, Insightful

      The point is, there's no need to change system files or bind to privileged ports.

      Your documents contains LOTS of yummy personal information for people to steal. Identity thieves and credit card thieves will love all that stuff.

      Spammers need relays to send their spam through. You can run a relay just fine as a normal user. Same thing with the DDoS bot for exortotionists and script kiddies.

      You can mess with the internals of Firefox without root access too, through plugins. Easy to put a password stealer in there. Or you could mess with your desktop settings so that when you try to launch a browser, you get a compromised version instead.

      I'd say I've covered all the major reasons somebody would want to infect your machine here, and not a single system file or privileged port was needed for it.

  3. "Compromised?" by Hyppy · · Score: 5, Insightful

    I could not RTFA (/.ed), but is there any indication of how this "compromise" occurred?

    My hats off, though, to the Red Hat folks. Full disclosure and immediate positive action speaks volumes.

    On a related note, you should not use Fedora in a production environment anyway. That's what RHEL is for. Fedora = Testing. RHEL = Stable. At least in theory.