Red Hat, Fedora servers compromised

Linux seller says Red Hat and Fedora servers were breached but customers are not affected.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Red Hat warned on Friday that a network attack compromised some servers last week that are involved with both its commercially supported and free versions of Linux.

The breaches involved Red Hat Linux Enterprise servers and those from its community-supported Fedora project that it sponsors.

Red Hat said in a security advisory that it is confident the intrusion did not compromise the Red Hat Network, which is the chief mechanism used to distribute changes to its Red Hat Enterprise Linux product, or updates sent over the network. Therefore customers are not at risk, the company said.

The open-source vendor also released a script designed to detect potentially compromised OpenSSH (OpenBSD's Secure Shell protocol implementation) packages.

"We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers," the advisory said.

The intruder was able to sign a "small number" of OpenSSH packages relating to Red Hat Enterprise Linux versions 4 and 5, so Red Hat is releasing an updated version of those packages. The company has published a list of the tampered packages and instructions for how to detect them.

A Fedora project leader issued an alert to a Fedora e-mail list that some Fedora servers were taken offline after they were found to have been illegally accessed last week.

"One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key," the alert said.

Despite the fact that there is no evidence that the Fedora key has been compromised, Fedora is converting to new Fedora signing keys because Fedora packages are distributed via multiple third-party mirrors and repositories.