FWN/Issue140

From FedoraProject

< FWN
Revision as of 12:18, 22 August 2008 by Ush (Talk | contribs)

Jump to: navigation, search

Breaking News on the Infrastructure Outage

This special issue of FWN covers the infrastructure problems as reported in FWN#139 "General Outage of Fedora Infrastructure" all that was known[1] was that the problems became obvious to a wide audience on August 13th.

[1] http://fedoraproject.org/wiki/FWN/LatestIssue#General_Outage_of_Fedora_Infrastructure

An update[2] was posted by Paul Frields on 18 August which listed the services which had returned to normal and were expected to return to normal soon. Public speculation latched on[3][4] to the fact that the SSH keys of "fedorahosted" had changed. Most guesses used this as evidence that something similar to the recent 2008 Debian OpenSSL vulnerabilities (not be confused with the 2003 Debian Project compromise[5] which was due to a 0-day kernel exploit or the 2006 compromise[6]) had occurred. FAS holders received an email asking them to reset their passwords as a precautionary measure which further heightened suspicions that something similar to the SSL problem had occurred. Some confusion prevailed[8] on @fedora-devel as to whether it was possible to trust the new key fingerprint on the website. JimMeyering added[8a] a useful post which explained how to change from using a DSA ssh key to an RSA ssh key. Overall there was a surprisingly low level of public discussion of the problem and it was not until 18 August that some complaints about the lack of information were expressed[9] on @fedora-list.

[2] https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00011.html

[3] http://lwn.net/Articles/294547/

[4] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg00790.html

[5] A key developer's machine was compromised due to a kernel exploit[5a] and then password sniffers were installed which provided the attacker(s) with root access to at least one key Debian server (klecker.debian.org). This was used as a staging post to install another sniffer and a chain of two more servers were compromised. As as result of modifications made to the one of the kernels it started OOPsing and investigations of this revealed the problem.

[5a] http://www.securityfocus.com/archive/1/346095/2003-11-28/2003-12-04/0

[6] http://www.debian.org/News/2006/20060713

[7] Metasploit has an excellent writeup on the topic here: http://www.metasploit.com/users/hdm/tools/debian-openssl/

[8] https://www.redhat.com/archives/fedora-devel-list/2008-August/msg00841.html

[9] https://www.redhat.com/archives/fedora-list/2008-August/msg01953.html

On 22 August Paul Frields posted[10] an announcement that stated that an intrusion had been detected on Fedora Project machines including the package signing machine. An extensive audit suggests that the passphrase to the key was not sniffed yet it was decided to treat the intrusion as having potentially compromised the key. The result of this has been that all the keys are being reissued.