Fedora infrastructure breach?

Fedora infrastructure breach?

Summary: Has there been a security breach in Red Hat Fedora's infrastucture systems?According to a cryptic announcement posted to the Fedora-Announce mailing list, the open-source group is investigating an unspecified "issue in the infrastructure systems" that has resulted in widespread service outages.

SHARE:
10

Fedora server compromised?Has there been a security breach in Red Hat Fedora's infrastucture systems?

According to a cryptic announcement posted to the Fedora-Announce mailing list, the open-source group is investigating an unspecified "issue in the infrastructure systems" that has resulted in widespread service outages.

In the note, Fedora maintainers recommend that end users avoid downloading packages on Fedora systems, which strongly hints at a security-related problem:

  • The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems. That process may result in service outages, for which we apologize in advance. We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems.

A follow-up message posted over the weekend said the investigations were continuing but there are no details available on the cause of the problem.

Efforts to contact Red Hat Fedora maintainers have so far been unsuccessful.  I will update this post as necessary.

* Image credit: jgbrl's Flickr photostream (Creative Commons 2.0)

Topics: Security, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Denial isn't a river in Egypt

    Rather than deny anything, the Fedora team is just going to try to keep it under wraps. Wonder what OS their servers are running?
    NotMSUser
  • Updates seemed to be working last night

    But thanks for the heads up.
    John L. Ries
    • May or may not be related

      When I went to reboot the machine tonight, GRUB appeared to have been clobbered (all I got was the word "GRUB"). A reinstallation of GRUB (from the handy dandy install DVD) fixed the problem.
      John L. Ries
    • Yes, but those updates maybe compromised.

      Updates of Fedora recently maybe compromised by an cracker (hacker gone bad) so updates for Fedora are in question now. Make sure there is no unusual activities or network traffic on your system since you -may- and the key word is "may" download compromised software.
      phatkat
  • RE: Fedora infrastructure breach?

    Hopefully they didn't lose the information they'll need for a post-mortem and the reason for the downtime is forensics.
    npdavis@...
  • RE: Fedora infrastructure breach?

    I wonder what desktop Bill Gates is running.
    bbneo
  • This is the evidence that linux and open source are unsafe

    This is the evidence that linux and open source are unsafe
    qmlscycrajg
  • what makes you think it is a security issue?

    There is nothing in the post from the Fedora team that suggests their problem is security related. They may have a problem with their hardware or their link to the Internet and want to reduce the load on their server while they get them going again. Ryan, I think you are jumping confusions...
    OzDot
    • this

      http://rhn.redhat.com/errata/RHSA-2008-0855.html

      "In connection with the incident, the intruder was able to sign a small
      number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
      (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
      architecture only). As a precautionary measure, we are releasing an
      updated version of these packages, and have published a list of the
      tampered packages and how to detect them at
      http://www.redhat.com/security/data/openssh-blacklist.html"
      Donald75
      • hindsight is 50/50

        This release from RH came out after my comment and after the blog entry was posted. At the time, there was nothing to suggest the problem was security related - at least nothing in the cited reference for the blog entry.
        OzDot