Supply Chain Attacks on Linux distributions (Fenrisk)

A security company called Fenrisk has posted an overview of a pairof claimed successful supply-chain attacks on the Fedora and openSUSEdistributions.

We successfully identified vulnerabilities in the Pagure, the Gitforge used by Fedora to store their package definitions. We alsocompromised Open Build Service, the all-in-one toolchain used anddeveloped by the openSUSE project for compilation and packaging.

Their exploitation by malicious actors would have led to thecompromise of all the packages of the distributions Fedora andopenSUSE, as well as their downstream distributions, impactingmillions of Linux servers and desktops.

[Update: SUSE has put out a statement about the vulnerability; "While this is a serious vulnerability that needed to be fixed quickly, the impact was inaccurately described."]