A Fedora project leader issued an alert to a Fedora e-mail list that some Fedora servers were taken offline after they were found to have been illegally accessed last week.

The open-source vendor also released a script designed to detect potentially compromised OpenSSH (OpenBSD’s Secure Shell protocol implementation) packages.

Despite the fact that there is no evidence that the Fedora key has been compromised, Fedora is converting to new Fedora signing keys because Fedora packages are distributed via multiple third-party mirrors and repositories.

“One of the compromised Fedora servers was a system used for signing
Fedora packages. However, based on our efforts, we have high confidence
that the intruder was not able to capture the passphrase used to secure
the Fedora package signing key,” the alert said.

Red Hat warned on Friday that a network attack compromised some servers last week that are involved with both its commercially supported and free versions of Linux.

The intruder was able to sign a “small number” of OpenSSH packages relating to Red Hat Enterprise Linux versions 4 and 5, so Red Hat is releasing an updated version of those packages. The company has published a list of the tampered packages and instructions for how to detect them.

The breaches involved Red Hat Linux Enterprise servers and those from its community-supported Fedora project that it sponsors.

“We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers,” the advisory said.

Red Hat said in a security advisory that it is confident the intrusion did not compromise the Red Hat Network, which is the chief mechanism used to distribute changes to its Red Hat Enterprise Linux product, or updates sent over the network. Therefore customers are not at risk, the company said.