and a sub-minor verion of 2.6.16 was released to fix it. 2.6.16.24, and a sub-minor fot 2.6.17 (though I don't know which)

I could have happened to ANY linux machine with local logins, regard less of auth-mechanism.

The account the local exploit was done from, the owner is being evaluated.

And it happened last Wednesday. The initial message from James Troup at Wed, 12 Jul 2006 18:47:24 +0100 (13:47 EDT)
Hi,

Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. This means the following debian.org
services are currently offline:

cvs, ddtp, lintian, people, popcon, planet, ports, release

Based on the results of our initial investigation we've locked down most other debian.org machines, limiting access to DSA only, until they can be fixed for what we suspect is the exploit used to compromise gluck.

We're still investigating exactly what happened and the extent of the damage. We'll post more info as soon as we reasonably can.

--
James