14 DAY TRIAL // The Fedora Project infrastructure team is currently investigating the compromise of a contributor's account, but preliminary results show that no significant damage resulted from it.
The security breach was announced and in an email sent to the Fedora mailing list by the project's leader, Jared Smith.
According to Mr. Smith, the incident occurred on January 22, when a project member notified the infrastructure team about an email from the Fedora Accounts System (FAS) alerting him of changes to his account he never authorized.
A quick investigation determined the account in question had been hijacked, but that hackers did not compromise the integrity of the project, despite the contributor having push access to Fedora SCM packages.
"While the user in question had the ability to commit to Fedora SCM, the Infrastructure Team does not believe that the compromised account was used to do this, or cause any builds or updates in the Fedora build system," Smith wrote.
"The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account," he added.
The only thing the attackers did was to change the account's SSH key in the Fedora Accounts System and use it to log into fedorapeople.org, where they had very limited access.
The infrastructure team took file system snapshots of pkgs.fedoraproject.org and fedorapeople.org, as well as reviewed logs for SSH, FAS, Git, and Koji.
A more in-depth investigation and security audit is currently underway, but at this moment evidence suggests the account was compromised externally and via a vulnerability in the Fedora Project infrastructure.
Even though in this case the damage was almost nonexistent, account compromises of this type can have far more serious consequences. In August 2009, the Apache Project had to shut down most of its servers after a hacked account was used to upload Web shells to them.