[Madlug] Redhat compromise

Leinweber, James jiml at mail.slh.wisc.edu
Mon Aug 25 12:20:09 CDT 2008


As those of you who follow various security and Linux web sites
already know, for the last week the Fedora project (sponsored by
RedHat) has been recovering from an intrusion into some of their
servers:

https://www.redhat.com/archives/fedora-announce-list/ 
2008-August/msg00012.html

Similarly, in a separate incident, RedHat detected an intrusion into
some of their corporate servers:

http://rhn.redhat.com/errata/RHSA-2008-0855.html

In both cases the miscreants were trying to insinuate themselves
into the package build and signing process, presumably with the
motive of eventually leaking trojaned versions of things like
openssh into the hands of end users.  It is not believed
at this time that the Fedora or Redhat Network repositories were
actually polluted.  Centos users are presumably unaffected,
as the problems were all internal to RedHat so far, and
CentOS has confirmed this:

http://lists.centos.org/pipermail/centos-announce/
2008-August/015195.html

However, as a precaution Redhat has released a shell script
which can check any RPM-based Linux system for a blacklist
of package versions which should not be installed:

http://www.redhat.com/security/data/openssh-blacklist.html

The shell script is short, makes no system modifications, and
does _not_ need to be run as root, and should not be.

When I downloaded it Friday afternoon the accompanying PGP signature
by the Red Hat Security Response Team PGP key with fingerprint
9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882
verified correctly. That 650d5882 key is in my personal PGP web
of trust.

If you have Fedora or Redhat systems you might want to
run the shell script to verify they are OK (it will print
"PASS").  You should verify the PGP signature on the script
before running it, of course.

Meanwhile, Redhat has released new versions of its OpenSSH
packages; I expect Centos will follow in due course. Also,
the Fedora project is going to change its PGP packing signing
keys fairly soon; those of us that use Fedora or Fedora packages
will need to update our RPM keyrings at that time.

This is not a crisis, and you probably don't have any systems
which require emergency patching.  But it is a reminder of how
fragile our software distribution infrastructure can be.

-- James E. Leinweber, BadgIRT volunteer
State Laboratory of Hygiene, University of Wisconsin - Madison
<jiml at slh.wisc.edu> 2810 Walton Commons West; phone +1 608 221 6281
PGP fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179   5C6B C8B9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : http://www.madisonlinux.org/pipermail/madlug/attachments/20080825/32f98a8c/attachment.bin 


More information about the Madlug mailing list