From Fedora Project Wiki

< FWN

m (→‎Breaking News on the Infrastructure Outage: add info on past exploits and compromises)
Line 1: Line 1:
= Breaking News on the Infrastructure Outage =
= Breaking News on the Infrastructure Outage =


This special issue of FWN will be updated to reflect new information as soon as it is made available to us. Currently we are still relying on the information posted by [[PaulFrields|Paul Frields]] on @fedora-infrastructure just like the rest of you. As reported in FWN#139 "General Outage of Fedora Infrastructure" all that is known is that the problems became obvious to a wide audience on August 13th.
This special issue of FWN covers the infrastructure problems as reported in FWN#139 "General Outage of Fedora Infrastructure" all that was known[1] was that the problems became obvious to a wide audience on August 13th.


[1] http://fedoraproject.org/wiki/FWN/LatestIssue#General_Outage_of_Fedora_Infrastructure
[1] http://fedoraproject.org/wiki/FWN/LatestIssue#General_Outage_of_Fedora_Infrastructure
Line 24: Line 24:


[9] https://www.redhat.com/archives/fedora-list/2008-August/msg01953.html
[9] https://www.redhat.com/archives/fedora-list/2008-August/msg01953.html
On 22 August [[PaulFrields|Paul Frields]] posted[10] an announcement that stated that an intrusion had been detected on Fedora Project machines including the package signing machine. An extensive audit suggests that the passphrase to the key was not sniffed yet it was decided to treat the intrusion as having potentially compromised the key. The result of this has been that all the keys are being reissued.


== Actual and Potential Compromises of Distros in the Past ===
== Actual and Potential Compromises of Distros in the Past ===

Revision as of 12:18, 22 August 2008

Breaking News on the Infrastructure Outage

This special issue of FWN covers the infrastructure problems as reported in FWN#139 "General Outage of Fedora Infrastructure" all that was known[1] was that the problems became obvious to a wide audience on August 13th.

[1] http://fedoraproject.org/wiki/FWN/LatestIssue#General_Outage_of_Fedora_Infrastructure

An update[2] was posted by Paul Frields on 18 August which listed the services which had returned to normal and were expected to return to normal soon. Public speculation latched on[3][4] to the fact that the SSH keys of "fedorahosted" had changed. Most guesses used this as evidence that something similar to the recent 2008 Debian OpenSSL vulnerabilities (not be confused with the 2003 Debian Project compromise[5] which was due to a 0-day kernel exploit or the 2006 compromise[6]) had occurred. FAS holders received an email asking them to reset their passwords as a precautionary measure which further heightened suspicions that something similar to the SSL problem had occurred. Some confusion prevailed[8] on @fedora-devel as to whether it was possible to trust the new key fingerprint on the website. JimMeyering added[8a] a useful post which explained how to change from using a DSA ssh key to an RSA ssh key. Overall there was a surprisingly low level of public discussion of the problem and it was not until 18 August that some complaints about the lack of information were expressed[9] on @fedora-list.

[2] https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00011.html

[3] http://lwn.net/Articles/294547/

[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg00790.html

[5] A key developer's machine was compromised due to a kernel exploit[5a] and then password sniffers were installed which provided the attacker(s) with root access to at least one key Debian server (klecker.debian.org). This was used as a staging post to install another sniffer and a chain of two more servers were compromised. As as result of modifications made to the one of the kernels it started OOPsing and investigations of this revealed the problem.

[5a] http://www.securityfocus.com/archive/1/346095/2003-11-28/2003-12-04/0

[6] http://www.debian.org/News/2006/20060713

[7] Metasploit has an excellent writeup on the topic here: http://www.metasploit.com/users/hdm/tools/debian-openssl/

[8] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg00841.html

[9] https://www.redhat.com/archives/fedora-list/2008-August/msg01953.html

On 22 August Paul Frields posted[10] an announcement that stated that an intrusion had been detected on Fedora Project machines including the package signing machine. An extensive audit suggests that the passphrase to the key was not sniffed yet it was decided to treat the intrusion as having potentially compromised the key. The result of this has been that all the keys are being reissued.

Actual and Potential Compromises of Distros in the Past =

Debian 2003 http://www.securityfocus.com/archive/1/346095/2003-11-28/2003-12-04/0

Debian 2006 http://www.debian.org/News/2006/20060713

Ubuntu 2007 https://lists.ubuntu.com/archives/loco-contacts/2007-August/001510.html

Debian and all downstream derivatives 2006-2008 http://www.metasploit.com/users/hdm/tools/debian-openssl/