The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-source software project's development servers. During several intrusions Nov. 19, the flaw enabled an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.

Members of the development team found the flaw in September and fixed the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach. The Debian Project, which uses only truly open-source software in its make-up, stressed that the breaches hadn't affected the project's code base.

"Fortunately, we require developers to sign the upload (software) digitally," said Martin Schulze, a developer and member of the project. "These files are stored off-site as well, which were used as a basis for a recheck." The development team promised to lock all developer accounts until the flaw had been found and fixed. The team published patches for the flaw on Monday as well but didn't specify when the accounts would be unlocked.

The full story