Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Fedora, Red Hat Servers Compromised

Popular Linux implementation will require changes in signing keys

Fedora Project leader Paul Frields ended speculation on Friday and revealed that the popular Linux implementation's servers have been breached.

"Last week, we discovered that some Fedora servers were illegally accessed," Frields said in a message to Fedora users about the security breach on Friday. "The intrusion into the servers was quickly discovered, and the servers were taken offline."

Fedora's servers have experienced some downtime in the past two weeks, and Frields had previously asked users not to download any new versions of the operating system, leading some observers to speculate that a security breach had occurred. (See Linux Users Speculate Over Fedora Outage.)

One of the compromised Fedora servers was a system used for signing Fedora packages, Frields said. "However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system, and the passphrase is not stored on any of the Fedora servers."

However, because Fedora packages are distributed via multiple third-party mirrors and repositories, the Fedora project has decided to convert to new Fedora signing keys, Frields said. "This may require affirmative steps from every Fedora system owner or administrator," he warned.

Frields said there is "little risk" to Fedora users who want to install or upgrade signed Fedora packages. Our previous warnings against further package updates were based on an abundance of caution, out of respect for our users," he said. "This is also why we are proceeding with plans to change the Fedora package signing key."

While Frields was issuing his warning, Red Hat also issued its own advisory on a security breach. "Last week, Red Hat detected an intrusion on certain of its computer systems and took immediate action," the advisory states.

"While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network(RHN) and its associated security measures," the company said. "Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN, and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk."

The advisory is mainly for "those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers," Red Hat said.

"It is important to note that the effects of the intrusion on Fedora and Red Hat are *not* the same," Frields wrote. "Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages."

Frields said the Fedora Project will contact users soon to let them know how to handle they change in signing keys.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4245
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVE-2013-4593
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
CVE-2013-6495
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
CVE-2013-7370
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
CVE-2019-18935
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...