Fedora Project servers compromised

According to Fedora, some servers from the project were illegally accessed.

Quoting Paul W. Frields from Fedora:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

Here’s the Fedora announcement and the security advisory by Red Hat.

And one more detail, the Fedora servers are hosted by Red Hat Inc. I hope that this isn’t much bigger than it seems.


This entry was posted on August 23rd, 2008 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.

 
« PC upgrade
Gufw - The firewall that Ubuntu needs »
 
 

One Response to “Fedora Project servers compromised”

  1. Rui Miguel Silva Seabra
    23. August 2008 at 18:25

    If I’m not mistaken, Red Hat uses HSMs which hold the digital key. Since Fedora will be updating the key and Red Hat not, I’m willing to bet Fedora’s key is not on an HSM.

    It is a big deal because it’s the first time in it’s long history that something like this happened, but looking at the announcements from a security point of view it is bad, but not the worst that could happen.

Leave a Reply