Fedora servers may have been breached
Server failure announcements on the Fedora mailing list are currently causing alarm among users of the Fedora Linux distribution. Paul Frields, head of the Fedora project, said there had evidently been a problem with various servers in the Fedora infrastructure that had made the project reinstall its systems. Frields gave no information about the precise reasons for this action, but US media are already speculating that a breach in one of the systems was to blame.
Apart from the packages servers, many of the Fedora servers were not available due to the maintenance work. Frields recommended that until the problem was solved no new packages should be installed or updated, which strongly hints at a security problem, possibly with manipulated packages. Fedora packages are digitally signed, but if the programs have already been manipulated on the build server, the signature will be worthless.
Most of the systems are now online again. The asterisk1, collab1, cvs1, builders, x86, ppc and Fedora People servers are due to be available shortly. The Fedora developers promise to publish details of the problem as soon as all systems have been restored and investigations completed.
- Important infrastructure announcement by P. Frields
- Infrastructure status, 2008-08-16 UTC 1530, announcement by P. Frields
- Infrastructure status, 2008-08-19 UTC 0200, announcement by P. Frields