Security breach at kernel.org
An unknown attacker managed to obtain root privileges for some of the most important servers at kernel.org – the main distribution site for the Linux kernel and for a variety of Linux-related software. The web site's news section shows that the administrators detected the intrusion on 28 August.
Unusual server behaviour had already attracted the developers' attention in mid-August; after a restart and a kernel update, several kernel panics began to appear that eventually led to the discovery of the intrusion. According to the current state of investigations, the unknown intruder obtained access via a compromised user account. They probably then exploited security holes to escalate their privileges to root level – but no exact details have been released so far.
The administrators say that the source code repositories are thought to be unchanged, but that this is currently being investigated. The statement concerning the incident also says that the potential damage caused by an intrusion is much smaller at kernel.org than it is at other source code repository hosting sites. Reportedly, this is because the kernel developers work with Git, which uses a SHA1 hash for every source code file; the developers say that, once published, no changes to these files can go unnoticed. In a Linux Foundation blog post, LWN.net editor and kernel hacker Jonathan Corbert explains this in more detail. On his blog, the primary Git developer, Junio C. Hamano, explores, in even greater detail, the possibilities a potential attacker has to modify a Git repository.
Hamano said that those who obtain the Linux source code via Git can be quite certain that they haven't received a version into which malicious code has been injected. However, the statement at kernel.org does not explicitly mention whether the kernel source code patches and tar archives that are accessible via links on the front page at kernel.org are intact. While the integrity of these files can be checked via PGP signatures, the description of this mechanism states that the signatures are generated on one of the servers at kernel.org. It is therefore currently unclear whether the intruder had access to all the necessary components for signing a modified archive.