Fedora and Red Hat servers compromised – CentOS unaffected
Let’s start with an item that dominated the coverage on many Linux web sites – the security breach of Fedora and Red Hat servers. This is what happened: “Last week we discovered that some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline. One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key.” The fact that it took Fedora more than a week to publish a report on the problem was heavily criticised by some media (see this article by ITWire). However, the simple truth is that as soon as Fedora discovered the breach, they have stopped providing software updates, they mobilised their resources to deal with the situation and, once they analysed the extent of the problem, published a report about it. That’s pretty much what I would expect from any distribution – nothing more and nothing less. The incident also confirms another fact: there is no such thing as “100% secure” and similar issues are bound to happen from time to time (one of the Debian servers was also hit by a security compromise in July 2006). While it is regrettable that a server of a major Linux project gets broken into, there is no doubt that Fedora has dealt with the situation in a highly efficient, competent and responsible manner.
As far as the users of Red Hat Enterprise Linux are concerned, the company sent out the following security alert (RHSA-2008-0855) to its customers: “Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. … In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them.” But those customers who use Red Hat Network to update their products are not affected by the issue: “Our processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.”
Next, it was the turn of CentOS, a distribution that is effectively a clone of Red Hat Enterprise Linux (RHEL) and which uses RHEL packages for their own security updates. Karanbir Singh in CentOS position on systems intrusion at Red Hat: “We take security issues very seriously, and as soon as we were made aware of the situation I undertook a complete audit of the entire CentOS 4/5 build and signing infrastructure. We can now assure everyone that no compromise has taken place anywhere within the CentOS infrastructure. Our entire set-up is located behind multiple firewalls, and only accessible from a very small number of places, by only a few people. Also included in this audit were all entry points to the build services, signing machines, primary release machines and connectivity between all these hosts. … Finally, while we feel confident that there is no possibility of this compromise having been passed onto the CentOS user base, we still encourage users to verify their packages independently using whatever resources they might have available.”
[Hahaha… Source: Distrowatch]