If you are subscribed to the list fedora-ni, be aware that from a week ago, the fedora updates has not been working well, today announced the cause , it's because the servers were compromised.
News Source in English
Fountain English
Last week we discovered some intruders entered some Fedora servers illegally. We quickly discovered this, and that's why I gave low servers.
specialists and administrators have been working since then to analyze the income and how much was involved, as well as reinstall Fedora systems. We are using this time to update the servers both functionally and for your safety. We continue to work, so be patient. Anyone with pertinent information related to this, please contact with fedora-legal@redhat.com.
One of the compromised servers was the system used for signing Fedora packages. However, based on our efforts, we are sure that the intruder was unable to obtain the FraseSecreta used to unlock the key signature of Fedora packages. Based on our studies to date, the FraseSecreta not used during the time that the system is broke because the phrase is not stored on any server in Fedora.
yet we have no definitive evidence that the key has been compromised, because the packages are distributed by multiple third-party mirrors and repositories, we decided to switch to a new key. This may require changes in those repositories, but will communicate the steps that help users when available.
Among our other analysis, we reviewed the Fedora package collection, in addition to source code and found no discrepancies that indicate loss of integrity of data. Our efforts have discovered additional vulnerabilities in packages provided by Fedora.
Our previous warnings not to upgrade from the repositories were based on prevention, and respect the users (I still did not know the exact damage - Nushio). That is why we decided to change the package signing key. We have begun to plan and implement other safety measures for the future. At this point, we are sure that there is very little risk to those users who want to install or update or Fedora packages.
addition, Red Hat, Inc. has detected an intruder in some systems, and communicated with users of Red Hat Enterprise Linux here
http://rhn.redhat.com/errata/RHSA-2008 -0855.html. This notice reads in part "Last week Red Hat detected an intruder in certain of our systems and took immediate action. While our investigacions follow, our initial focus was to see and test the distribution channel we use with our customers, Red Hat Network (RHN) and all its security measures. Based on these efforts, we are confident that our systems and processes have prevented illegal access has compromised the RHN or the content distributed via RHN and also believe that any of our customers to keep their systems up to date using RHN are not at risk. Send this alert primarily for those who get their packages via channels other than RHN. "
is important to note that the manner in which they agreed to Fedora and Red Hat are * not * was the same. Indeed, the key signing Fedora packages are not connected to, and is different, which is used to sign packages for Red Hat Enterprise Linux. Also, the key is different, and not connected to, which is used to sign the Extra Packages for Enterprise Linux (EPEL).
continue to maintain the Fedora comundiad informed of any developments.
0 comments:
Post a Comment