Fedora and Red Hat servers broken into
The Fedora infrastructure team has now detailed what was behind the reported problems. According to an email from Fedora project manager Paul Frields, several of the servers used by the project were broken into, including the server responsible for signing of packages. Apparently, the intruder attempted, but failed, to break the key phrase used for signing. Frields says that, as far as they know, no packages were manipulated, but the Fedora team are now signing all packages with a new key.
The initial recommendation from Frields, to not install any new Fedora packages, was a precautionary one. Initially it was unclear whether packages had been manipulated. The compromise has made reinstallation of the servers necessary and given that, the Fedora team are taking the opportunity to update the servers at the same time.
Red Hat also had an intrusion into its servers which has resulted in a critical security warning. Red Hat says that it is confident that the Red Hat Network and the content distributed was not compromised, but that the intruder managed to sign a small number of OpenSSH packages belonging to Red Hat Enterprise Server. Red Hat has offered a script to allow users to check if they have affected packages installed. Red Hat has also provided updated packages and directs affected users to Red Hat Support for assistance.