Re: Fedora confirms: Our servers were breached

["Larry Seltzer" <larry () larryseltzer com>]

> > Yes, the fact that Fedora isn't RHEL.

OK, thanks, I see that. Let me get something straight here:

> > ... the intruder was able to sign a small number of OpenSSH packages
relating only to Red Hat Enterprise Linux...

So the suspicion is that the intruder inserted malicious code (or maybe
the Debian random number generator?) into the packages and signed them?

Is anyone else as appalled by this as I am? Has there been such a
compromise of a major OS before?

I also have to say that this is the first I've heard that RH and/or
Fedora sign their distribution packages. Is this common among Linux
distros?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Friday, August 22, 2008 12:11 PM
To: Larry Seltzer
Cc: Juha-Matti Laurio; funsec () linuxbox org
Subject: Re: [funsec] Fedora confirms: Our servers were breached

On Fri, 22 Aug 2008 11:51:02 EDT, Larry Seltzer said:

> > > ...based on our efforts, we have high confidence that the intruder 
> > > was not able to capture the passphrase used to secure the Fedora 
> > > package signing key.
         ^^^^^^
> > > number of OpenSSH packages relating only to Red Hat Enterprise 
> > > Linux 4
> > > (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5
                                              ^^^^^^^^^^^^^^^^^^^^^^^^
> Is there a subtle distinction I'm missing here?

Yes, the fact that Fedora isn't RHEL.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.