14 DAY TRIAL // Red Hat has discovered that the Ceph community project (ceph.com) and Inktank (download.inktank.com) have been hacked, and they are not sure if the code hosted on them has been affected in any way.
The Red Had team has explained that download.inktank.com, a resource that offers releases of the Red Hat Ceph product for Ubuntu and CentOS, has been hacked. They have investigated the matter, and they concluded that the current code being offered right now hasn't been changed, but they can't guarantee that it hasn't happened.
The same happened with the ceph.com website and repository. The guys from Red Hat haven't mentioned any kind of time frame, which means that they don't know for how long the websites and repositories have been compromised. In order to fix the problems, they have issued new signing keys both for Ceph and inktank.
Ubuntu repositories are safe, says Mark Shuttleworth
As it was mentioned right at the start, Ubuntu and CentOS are the intended targets, so it's easy to see why people should be worried. Even if Red Hat said that the code seems to be intact, people who were using these services should check it twice.
"To reiterate, based on our investigation to date, the customers of the CentOS and Ubuntu versions of Red Hat Ceph Storage should take action as a precautionary measure to download the rebuilt and newly-signed product versions. We have identified and notified those customers directly," reads the announcement made by Red Hat Product Security.
The good news if that Canonical, through Mark Shuttleworth, explained that people who download from the Ubuntu repos haven't been affected by the hack. "For clarity, if you are using Ceph from the Ubuntu repositories then you are not affected at all. If you are using the .deb packages that Red Hat publish from download.ceph.com, then you are affected and should replace their key with the new one."
It remains to be seen if this is the full extent of the hack or if the Red Hat Product Security has found all the issues.