Holy crap, that's quite a breach. Note that RedHat says, on the one hand, that
>> ...based on our efforts, we have high confidence >> that the intruder was not able to capture the passphrase used to secure >> the Fedora package signing key. Based on our review to date, the >> passphrase was not used during the time of the intrusion on the system >> and the passphrase is not stored on any of the Fedora servers." On the other hand, they have issued a critical openssh security update (http://rhn.redhat.com/errata/RHSA-2008-0855.html) the description of which says: >> In connection with the incident, the intruder was able to sign a small >> number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 >> (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 >> architecture only). As a precautionary measure, we are releasing an >> updated version of these packages, and have published a list of the >> tampered packages and how to detect them at >> http://www.redhat.com/security/data/openssh-blacklist.html Is there a subtle distinction I'm missing here? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juha-Matti Laurio Sent: Friday, August 22, 2008 10:45 AM To: [email protected] Subject: [funsec] Fedora confirms: Our servers were breached New information about the "important infrastructure issue" affecting to Fedora Project has been released today. Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts, including: "One of the compromised Fedora servers was a system used for signing Fedora packages." More information available at https://www.redhat.com/archives/fedora-announce-list/2008-August/msg0001 2.html and http://blogs.securiteam.com/index.php/archives/1130 Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
