Fedora Project investigates possible infrastructure compromise

A security incident on Fedora infrastructure has been reported by Jared Smith, Fedora Project’s leader, who confirmed that the account of one of its contributors has been compromised.

According to preliminary results of an investigation mounted by Fedora Project’s Infrastructure Team, the compromise wasn’t the result of an exploitation of a vulnerability.

Luckily for all, the compromised account doesn’t belong to a member of any sysadmin or Release Engineering groups.

Upon being notified by the legitimate account user that something was off, the Infrastructure Team immediately proceeded to lock down the access to the account, take filesystem snapshots of all systems the account had access to, and audit SSH, FAS, Git, and Koji logs from the time of compromise to the present.

So far, they discovered that the attacker changed the account’s SSH key in the Fedora Accounts System and logged in to fedorapeople.org. Fedora users are reassured that he or she did not push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way, generate a koji cert or perform any builds, or push any package updates.

“The Infrastructure Team believes that Fedora users are in no way threatened by this security breach and we have found no evidence that the compromise extended beyond this single account,” wrote Smith, but they encourage anyone who might notice something is off to report it.