Fedora infrastructure hacked – no damage done
The Fedora Project has confirmed that there was an intrusion into its infrastructure on the 22nd, but investigations have shown "no impact on product integrity". The announcement of the intrusion by Fedora Project Leader, Jared Smith, states that the project became aware of a problem when a contributor received an email from FAS, the Fedora Accounts System, saying his account details had been changed.
The Fedora Infrastructure Team investigated and confirmed the account had been compromised. After locking down systems, snap-shotting file systems and auditing logs it was found that the account, which was only authorised for SSH to fedorapeople.org, push packages into Fedora's SCM and perform builds of Fedora packages, had only changed the account's SSH key and logged into fedorapeople.org.
"We do not believe that any Fedora packages or other Fedora contributor accounts were affected by this compromise", said Smith, adding that there is no evidence that "the compromise extended beyond this single account". Smith took the opportunity to remind Fedora packagers to regularly review commits on their packages and to report suspicious activities; also, Fedora contributors should chose a strong FAS password which is not used on other sites.
A deeper investigation and security audit is also on-going and Smith says the project will announce if there are any material changes to what is currently believed to be the extent of the compromise.