The most significant breach involved a system used by the Fedora Project to sign the software packages used to automatically update end users' systems. The breach also affected the Fedora Project's database and proxy servers, hosted systems and collaboration network. A smaller number of servers used by Red Hat were affected by the breach, the Fedora Project stated in its announcement.

Yet, while the extent of the breach appeared to be significant, the Fedora Project claimed that the intruders did not get the package signing key, the cryptological master key with which attackers could introduce malicious software onto Fedora users' systems through the update process.

"Based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key," Paul Frields, Fedora Project Leader for Red Hat, said in an announcement released on Friday. "Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers."

The Fedora Project manages the development and distribution of Red Hat's freely available version of the Linux operating system. The software created by Fedora's developers finds its way into a variety of commercial and non-commercial versions of Linux, including Red Hat Enterprise Linux.

While the Fedora Project has no evidence that the intruders compromised the signing key, the company has decided to create and distributed new keys. The Fedora Project administrators have also performed numerous checks on the collection of software components and have not found anything to suggest that a Trojan horse had been introduced into the software, Frields stated.

While the intruders had only limited impact on Red Hat's systems, they were able to create several signed versions of a potentially malicious OpenSSH package, the company said.

"As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them," the company said in its statement.

Red Hat declined to comment on the issue except to refer reporters to the published announcements. In May, the Debian Linux project announced, that a change to its crypto libraries had caused its OpenSSL, OpenSSH and OpenVPN software to generate weak encryption keys.

The infrastructure supporting various open-source Linux distributions have occasionally been the target of online criminals. Last August, attackers compromised five of the eight servers that hosted software for the Ubuntu Linux project. In 2003, a rogue developer attempted to insert a backdoor into a common component of the Linux operating system.

Recently, two groups of researchers have warned that many of the package management systems used to update software over the Internet have serious flaws. A group of students from the University of Arizona found that a variety of attacks could allow an attacker to deliver compromised software components to an unsuspecting end user. Last month, a group of researchers released Evilgrade, a tool that allows penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit.

It took more than a week for information on the latest attack on Linux to surface.

On August 14, the Fedora Project issued a notice to its announcement list for Fedora developers stating that administrators were "investigating an issue in the infrastructure systems."

"We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems," Fedora's Frields wrote.

For eight days, developers speculated over the nature of the issues. On Friday, Red Hat and the Fedora Project admitted that the issue was, in fact, a breach.

Security professionals varied on their assessment of the breaches at Red Hat and Fedora.

While its unlikely that the full extent of the breaches is known, the biggest problem is likely to be the negative publicity and the questions raised by the success of the attacks, said David Aitel, chief technology officer for penetration-testing tool maker Immunity.

"How does it affect their customers' confidence level in general?" he said is the key question. "People should be concerned that the (attackers) even got that far."

Other companies that use automatic updates should review the security of their systems, because online criminals are increasingly targeting package management networks, said Dan Holden, X-Force Product Manager for IBM Internet Security Systems.

"It's no longer just kids putting up greetz to their friends on your Web site, but attackers -- really parasitic attacks -- focusing on controlling the mechanism through which packages are distributed in an attempt to infect the end users," Holden said.

The Fedora Project pledged to produce a timeline of the attacks. Fedora administrators are continuing to clean and check systems.

If you have tips or insights on this topic, please contact SecurityFocus.