Posted by: David Schneier
The maker of Red Hat Enterprise Linux and Fedora said that hackers have gained access to key servers in what appear to be two separate incidents. Red Hat Inc. found last week that someone had compromised several Fedora servers, including one that is used to sign Fedora packages. The company said that although the server was accessed illegally, they don’t believe that the passphrase used to get to the key used to actually sign the packages was compromised.
Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stroed on any of the Fedora servers.
While there is no definitive evidence that the Fedora key has been compromised because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.
In the Red Hat Enterprise Linux incident, the attacker was able not only to compromise some servers, but also to use the RHEL key to sign some OpenSSH packages. The compromised packages were for RHEL 4 and 5, and Red Hat has published a blacklist of the affected packages. Red Hat also has released updated versions of the compromised packages.