Last August, Red Hat’s Fedora project announced that its servers had been compromised — now 6 months later (after an exhaustive investigation), Red Hat has revealed exactly what happened.
According to Red Hat Fedora Project Leader Paul Frields, the compromise did not come by way of any vulnerable software on the Fedora servers but rather by way of an SSH key that wasn’t properly secured. The SSH key belonged to a Fedora administrator and was used by the attacker to build modified version of openssh and rpm. That’s pretty serious – as it means the attacker could have potentially messed up all Fedora packages — but that’s not what happened in the end.
“The intruder did deploy the modified packages, and the modified SSH package may have captured passphrases for a short time,” Frields reported. “However, the investigation supports the conclusion that the modified packages were discovered before anyone accessed the system to sign any packages using the modified RPM package.”