Am Sat, 23 Aug 2008 00:38:15 +0200 schrieb Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx>: > Anne Wilson wrote: > > On Friday 22 August 2008 17:48:22 Tom Killian wrote: > > > >One of the compromised Fedora servers was a system used for > > > >signing Fedora packages. However, based on our efforts, we have > > > >high confidence that the intruder was not able to capture the > > > >passphrase used to secure the Fedora package signing key. Based > > > >on our review to date, the passphrase was not used during the > > > >time of the intrusion on the system and the passphrase is not > > > >stored on any of the Fedora servers. > > > > > > Hmm, sounds like the passphrase is safe, but the > > > passphrase-encrypted private key is in the hands of the bad guys, > > > a good reason to revoke the key. > > > > That is not at all what was said. The 'bad guy' intruded into the > > system. At no time did he use the passphrase - as has been > > verified. I can think of no reason for him not to do so if he had > > got the private key. The FUD on this list is unbelievable. > > Tom is right. What the announcement says is that we must assume that > the intruder has the key but he probably can't use it. The key is > encrypted with a passphrase and the intruder had no way of finding > out the passphrase. The key therefore needs to be changed but there's > no need to panic. > > Björn Persson ok, but is it also on fedora, with openssh-issue? Or how could we now find out, if our systems are compromised too? Roger -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
