Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Fedora, Red Hat Servers Compromised

Popular Linux implementation will require changes in signing keys

Fedora Project leader Paul Frields ended speculation on Friday and revealed that the popular Linux implementation's servers have been breached.

"Last week, we discovered that some Fedora servers were illegally accessed," Frields said in a message to Fedora users about the security breach on Friday. "The intrusion into the servers was quickly discovered, and the servers were taken offline."

Fedora's servers have experienced some downtime in the past two weeks, and Frields had previously asked users not to download any new versions of the operating system, leading some observers to speculate that a security breach had occurred. (See Linux Users Speculate Over Fedora Outage.)

One of the compromised Fedora servers was a system used for signing Fedora packages, Frields said. "However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system, and the passphrase is not stored on any of the Fedora servers."

However, because Fedora packages are distributed via multiple third-party mirrors and repositories, the Fedora project has decided to convert to new Fedora signing keys, Frields said. "This may require affirmative steps from every Fedora system owner or administrator," he warned.

Frields said there is "little risk" to Fedora users who want to install or upgrade signed Fedora packages. Our previous warnings against further package updates were based on an abundance of caution, out of respect for our users," he said. "This is also why we are proceeding with plans to change the Fedora package signing key."

While Frields was issuing his warning, Red Hat also issued its own advisory on a security breach. "Last week, Red Hat detected an intrusion on certain of its computer systems and took immediate action," the advisory states.

"While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network(RHN) and its associated security measures," the company said. "Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN, and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk."

The advisory is mainly for "those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers," Red Hat said.

"It is important to note that the effects of the intrusion on Fedora and Red Hat are *not* the same," Frields wrote. "Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages."

Frields said the Fedora Project will contact users soon to let them know how to handle they change in signing keys.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.