The majority of servers supporting the Fedora Linux distribution were back online on Tuesday following a mystery disruption. Last Thursday (14 August) Fedora project leader Paul Frields took the unusual step of advising users not to download or update their software, as a precaution while the Fedora team responded to an …
...don't tell me they signed their packages with one of those dodgy Debian-generated SSL certificates.
Joke icon, because this probably isn't one in reality....
Just want to be the first to say this
Does this mean *nix has security issues too like Windows?
/Flames because im sure i just started something
Is this why rkhunter keeps telling me that /bin/more has a bad signature and has changed since prelinking? (on FC5)
Err... as a tech. news site, why wasn't this covered at the time, eh ? It's a bit late telling people now...
not covered ?
Not covered because if you needed to know, you knew. When updates stopped on Fri, you searched around to find Paul's message.
Now, we should take elReg to task for not uncovering the cause of the outage. Rather than repeating public information, tell us what we do not know, like WHAT THE F IS GOING ON AT REDHAT ? excuse me for shouting.
Was redHat rooted ? Or did they merely have dodgy keygen code like debian ? Or maybe the keygen problems with deb have a secondary effect on rh, rh has asked all their contributors to regen SSH keys, partially (allegedly) to allow pruning of the weak debian keys.
Don't repeat the same crap. Tell us the truth, the whole truth, and nothing but the truth. Look hard for us.
A Fedora User Says ....
As a long time Fedora (and RH before that) user, I obviously have a vested interest. The Fedora Project team (and Red Hat) are very diligent - amongst the most diligent that I know in the broader Linux community. This makes it both more and less worrisome at the same time - it's not likely any compromise got far, but if Fedora can get hacked (if indeed that's what happened) then so can anyone.
Updates did indeed stop on August 14.
Why would Fedora/RH be using Debian anything, let alone Debian-generated SSL keys? I don't think that's the issue.
The Fedora Project will release more in due course, I'm sure, but what we really need from El Reg then is a no bullshit, zero-hype assessment of the Fedora situation and the ramifications for Linux repositories and resources in general ... and I'm serious about the zero-hype bit.
One more thing - does anyone else think that Microsoft might be capable of orchestrating a campaign of this nature against Linux distros?
@ Tom Chiverton
I agree with Tom Chiverton. I would have really appreciated a heads up, to make sure the appropriate people were reacting properly to a potential issue. Actually, I could see this being a huge issue for any organization that uses Fedora for even one critical system.
I also agree with the last sentence Herbert Meyer left, especially since this story is already at least partially stale. I make it a habit of reading El Reg because of the (sometimes) pithy, (usually) in-depth background reporting I cannot easily find elsewhere.
Having said that, someone please push Herbert Meyer back into the basement corner with the rest of the Linux admins, and tell him to get back to his scripts.
Fedora for critcial systems ????!!!!!
Dennis - anyone using Fedora for "even one critical system" and then having an issue with this didn't read the tin.For critical systems. use RHEL or, if you prefer, Centos, unless you are prepared to live with the risk of an update breaking it.
Anyone who uses Fedora on a critical system should not be in their job. Fedora is in essence a massive Red Hat beta test. It is a cutting edge Linux system containing the latest in (most) of the software with a continuous stream of updates, and with the current 9 month upgrade cycle it makes it not viable to use in any production system, critical or not.
If someone needs Linux in a critical system they would be better off going with either Red Hat, CentOS or Debian. There are a few more they could try as well but I can't be bothered to list them all.
Probably not much to worry about
Actually, there probably isn't a lot to worry about.
If you last updated before the attack (if that is indeed what it was) happened, you're in the clear. And if you updated since the attack but only downloaded non-compromised packages, you're also in the clear.
No doubt we will find out more in due course. So let the MS Fanbois have their little moment of glory ..... they'll be laughing on the other side of their faces soon enough.
So I should subscribe to the -announce mailing list for every single project I use ? gcc ? libc ? ... ? The volumn would be huge, which is why in the case of big/serious issues, I expect news sites to at least mention it.
I don't run 'yum update' everyday, just as the cron job emails me to say updates are due. This is probably common.
Schadenfreude #2 ?
Bad incident, but every cloud has a silver lining - lovely to see those smug smiles wiped off all those smug linux people, once again.
Not being taught, or not bothered, sufficiently about security will cause greater damage. At least if it happens at M$ or then they have a strong comercial incentive to fix it, otherwise their reputation gets hit more and they get flamed by the freetards.
If freetard software fails, then the yes they want to save face, but the same imperative is not there since their freetard supporters will not pay to shift to another OS. Indeed, the freetard company will do rather well out of their failure as they rack up extra support revenues to fix their own problems.
I used to love linux and hate MS, but you know what, when you take a bit of zen and think objectively you see the truth - for all its "evils" MS is nowhere near as the hype and freetards make out, and the freetards software is nowhere near as good as what they make out.
Yes the freetard project is a great, positive, benevolant, global human undertaking with great benefits and a great kick in the a$$ for M$, but there is a long way to go, especially on the rigours of security processes...but that also applies to MS.
"Actually, I could see this being a huge issue for any organization that uses Fedora for even one critical system."
Why would anybody use Fedora for a critical system? It is supposed to be a cutting edge distro with a very short (and community based) support cycle... not really something you should be using for critical systems.
So having established the absolute lunacy of using Fedora for critical systems, this issue should definitely be a cause for concern as I bet that's exactly what a number of companies are doing.
Anyway, in this case at least it's just the community test bed distro, if this had affected the Red Hat Enterprise Linux distro, then there would be major trouble ahead.....
Why would anybody use Fedora for a critical system?
From (current) experience that would be a combination of someone being too cheap to buy at least one kosher RedHat licence and also thinking they know everything and so we don't need support...
On a slightly better note said person has (rather belatedly) come to notice that using a (mainly) desktop OS with a frequent release cycle is probably not the bext thing to use on production systems. Though that's only because he's having a few storage-related problems. So soon we're off to CentOS which I guess is at least a step in the right direction.
Anon for obv reasons, and unhappy face as I have similar problems with monitoring and have to use the non-supported version of Zenoss, which is a complete nightmare to do anything with.
If the Fedora team are rebuilding all their systems - are *they* Fedora or RHEL? Hopefully they are or it implies that RHEL has been penetrated somehow.
That said, a fair proportion of hacks are down to misconfiguration or mistakes.
Microsoft probably had something to do with it
Fedora's keeping the details under their hat?
Mine's the one with the optical cloak and the asbestos lining...
Back in the basement ? Sorry, I have classes to teach. I will be back in the basement later, that's where the laptop is.
Excuse if I sounded like an Ausbergerian Troglodyte. I want to know what happened, RH hasn't explained yet.
If elReg can find out for me, reading it is worthwhile. If I want press releases, I would read CNet.
When Debian got r00ted a few years ago they did full disclosure. Dancing around the issue by not stating the reason for the outage just (1) makes me suspicious and (2) makes me assume the worst.
Debian GNU/Linux, Zeus uses it and you should too.
to the preachers (and a note to Herbert Meyer)
I think you got my subtle humor about the basement....thanks. I agree with your second comment 100%.
At those who feel like lecturing on not using Fedora for production systems:
I would suggest being a consultant for a period of time for exposure on just how bad some IT environments really are, especially in the SMB market. You are preaching to the choir and completely missing the point. Next time I will preemptively add caveats to my comments to try to prevent knee-jerk reactions from some readers.
Redhat Errata released
I imagine that Fedora's problems are related.
"Last week Red Hat detected an intrusion on certain of its computer systems
and took immediate action. "
"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). "
The truth is out there
"oops", and also
"*oops* we let a stranger sign OpenSSH packages"
The sooner the "truth" is known, the less the damage to integrity of Red Hat and Fedora. Other distros may also be compromised but not be aware.