The infrastructure supporting various open-source Linux distributions have occasionally been the target of online criminals. Last August, attackers compromised five of the eight servers that hosted software for the Ubuntu Linux project. In 2003, a rogue developer attempted to insert a backdoor into a common component of the Linux operating system.

Recently, two groups of researchers have warned that many of the package management systems used to update software over the Internet have serious flaws. A group of students from the University of Arizona found that a variety of attacks could allow an attacker to deliver compromised software components to an unsuspecting end user. Last month, a group of researchers released Evilgrade, a tool that allows penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit.

It took more than a week for information on the latest attack on Linux to surface.

On August 14, the Fedora Project issued a notice to its announcement list for Fedora developers stating that administrators were "investigating an issue in the infrastructure systems."

"We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems," Fedora's Frields wrote.

For eight days, developers speculated over the nature of the issues. On Friday, Red Hat and the Fedora Project admitted that the issue was, in fact, a breach.

Security professionals varied on their assessment of the breaches at Red Hat and Fedora.

While its unlikely that the full extent of the breaches is known, the biggest problem is likely to be the negative publicity and the questions raised by the success of the attacks, said David Aitel, chief technology officer for penetration-testing tool maker Immunity.

"How does it affect their customers' confidence level in general?" he said is the key question. "People should be concerned that the (attackers) even got that far."

Other companies that use automatic updates should review the security of their systems, because online criminals are increasingly targeting package management networks, said Dan Holden, X-Force Product Manager for IBM Internet Security Systems.

"It's no longer just kids putting up greetz to their friends on your Web site, but attackers -- really parasitic attacks -- focusing on controlling the mechanism through which packages are distributed in an attempt to infect the end users," Holden said.

The Fedora Project pledged to produce a timeline of the attacks. Fedora administrators are continuing to clean and check systems.

If you have tips or insights on this topic, please contact SecurityFocus.