LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Another update on Fedora infrastructure

Another update on Fedora infrastructure

Posted Aug 19, 2008 14:30 UTC (Tue) by kragil (guest, #34373)
In reply to: Another update on Fedora infrastructure by sbergman27
Parent article: Another update on Fedora infrastructure 

Are the servers running fedora ??

I guess they are running RHEL .. that makes the exploit even scarier. ( OK .. might be wild
speculation on my part ;) )

While I am speculating .. :)

I also guess all the investment into SELinux did not help. Maybe AppAmor and/or Smack are
better suited for human beings.

(Log in to post comments)

Gracious!

Posted Aug 19, 2008 14:47 UTC (Tue) by dwheeler (guest, #1216) [Link]

Again, let's give them credit; whatever the problem is, they are clearly taking it really seriously, as evidenced by the extraordinary steps they're taking. And we don't know if AppArmor (etc.) would have done any better. Generally Fedora/Red Hat work especially hard on preventing attack (see their SELinux work, stack protection, etc.); I think it's silly to imply that they don't take security seriously.

Here's hoping that it's some sort of serious compiler bug, instead of an attack. However, while I don't have any inside information, I wouldn't bet on that. The sheer secrecy of details suggests a serious attack.

Gracious!

Posted Aug 19, 2008 15:10 UTC (Tue) by kragil (guest, #34373) [Link] 

I'm sorry. Speculating is fun though.

Maybe they introduced a trojan into the build sources for an update and Linus installed that
update and then they changed the kernel source on Linus' box ( because he is running fedora,
isn`t he. He shouldn`t say something like that by the way, makes him _obviously_ more
vulnerable ;P ) and from now on all kernels will be exploitable by default... B)

But seriously: I'm just kidding .. like I said: Speculating is fun.

Gracious!

Posted Aug 19, 2008 16:23 UTC (Tue) by jengelh (subscriber, #33263) [Link] 

All this secrecy gets tiring. First the huge bubble about DNS, now Fedora. What I kinda miss
in all of this mess is an informant leaking details ;-)

Gracious!

Posted Aug 19, 2008 16:47 UTC (Tue) by mmcgrath (subscriber, #44906) [Link] 

Fedora said it:

"We know the community is awaiting more detail on the past week's
activities and their causes.  We're preparing a timeline and details and
will make them available in the near future.  We appreciate the
community's patience, and will continue to post updates to the
fedora-announce-list as soon as possible."

Paul has told us all that he's going to make this known in the near future.  I know I'll be
holding Fedora to that :)

Another update on Fedora infrastructure

Posted Aug 19, 2008 16:40 UTC (Tue) by dowdle (subscriber, #659) [Link] 

As has been pointed out in a comment to a previous mention of an update notice... the most
common thing it could be would be a compromised account of someone who had high administrative
rights within their infrastructure.  In security the weakest link is usually human and
SELinux, AppArmor, etc can't defend against that... nor physical access.

Of course I have no idea what the problem is/was.

I think this is a testament to Fedora's ability to keep a tight lid on an issue... and keep it
from leaking before they are ready to make an announcement.  Great job guys!

Another update on Fedora infrastructure

Posted Aug 19, 2008 16:51 UTC (Tue) by Sutoka (guest, #43890) [Link] 

This is what I was thinking. It wasn't that long ago that something similar happened in the
Debian project, though that was 'only' a developer (and not an administrator IIRC). If one of
the Fedora admins, say, had privileged login for several of the main fedora project servers
saved on their laptop and then their laptop got stolen, the project may be taking all this as
a precautionary attempt to change all their login/keys/etc and they're keeping quiet because
they're hoping they can get everything before the person realizes what they got.

Going further with this hypothetical, it's possible there were several days before the laptop
being stolen and the Fedora projecting finding out so they may simply be worried that any
would-be attackers were able to take any credentials on the laptop and spread to other parts
of the system as well, and they're using this as an opportunity to do a *complete*
audit/reinstalls/upgrades/etc.

Then again, this is all speculation so I may be completely off.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds