Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-27 Thread Paul W. Frields
On Thu, Jan 27, 2011 at 01:35:05AM +0530, Rahul Sundaram wrote: > On 01/27/2011 01:12 AM, Paul W. Frields wrote: > > On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote: > >> > >> Disappointingly the slashdot story paraphrased another site that went > >> with a sensationalized headline and

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-26 Thread Rahul Sundaram
On 01/27/2011 01:12 AM, Paul W. Frields wrote: > On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote: >> >> Disappointingly the slashdot story paraphrased another site that went >> with a sensationalized headline and was low on facts. They didn't even >> point to the actual announcement for

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-26 Thread Paul W. Frields
On Wed, Jan 26, 2011 at 09:30:24AM -0700, Kevin Fenzi wrote: > On Wed, 26 Jan 2011 15:25:40 +1300 > Al Reay wrote: > > > Looks like it's made the news > > > > http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compromised > > Disappointingly the slashdot story paraphrased ano

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-26 Thread Kevin Fenzi
On Wed, 26 Jan 2011 15:25:40 +1300 Al Reay wrote: > Looks like it's made the news > > http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compromised Disappointingly the slashdot story paraphrased another site that went with a sensationalized headline and was low on facts. The

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-25 Thread Al Reay
Looks like it's made the news http://news.slashdot.org/story/11/01/25/1723259/Fedora-Infrastructure-Compromised Cheers Al On Wed, Jan 26, 2011 at 11:34 AM, Kevin Fenzi wrote: > On Tue, 25 Jan 2011 17:10:20 -0500 > Ricky Zhou wrote: > > > > Additionally it would be nice to investigate whether

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-25 Thread Kevin Fenzi
On Tue, 25 Jan 2011 17:10:20 -0500 Ricky Zhou wrote: > > Additionally it would be nice to investigate whether the account was > > used to access the test machine resources for package maintainers: > > https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers > Good point. We

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-25 Thread Ricky Zhou
On 2011-01-25 10:50:48 PM, Till Maas wrote: > Did he really not have write access to the Fedora wiki or the different > trac instances (wiki, ticket system) on fedorahosted? I am not sure how > it is handled, but he also might have had push access to the comps repo > on fedorahosted. Sorry, these a

Re: Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-25 Thread Till Maas
On Tue, Jan 25, 2011 at 10:14:23AM +1000, Jared K. Smith wrote: > The account in question was not a member of any sysadmin or Release > Engineering > groups. The following is a complete list of privileges on the account: > * SSH to fedorapeople.org (user permissions are very limited on this > m

Security incident on Fedora infrastructure on 23 Jan 2011

2011-01-24 Thread Jared K. Smith
Summary: Fedora infrastructure intrusion but no impact on product integrity On January 22, 2011 a Fedora contributor received an email from the Fedora Accounts System indicating that his account details had been changed. He contacted the Fedora Infrastructure Team indicating that he had received