As a result, hackers were able “to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux” versions 4 and 5, according to a security update. Aside from the patch, the open source software company provided users with a blacklist script to determine if they are running any of the tampered packages.
OpenSSH provides encrypted communication using the SSH, or secure shell, protocol.
Meanwhile, one of the servers belonging to the Red Hat-sponsored Fedora Project, which is responsible for signing Fedora packages, was compromised. However, team leaders do not believe the intruders were able to steal any passwords used to secure the signing keys.
Still, the Fedora Project decided to release new signing keys “because Fedora packages are distributed via multiple third-party mirrors and repositories,” according to a notice from Paul Frields, a Fedora Project leader.
“It is important to note that the effects of the intrusion on Fedora and Red Hat are not the same,” he wrote. “Accordingly, the Fedora package signing key is not connected to, and is different from, the one used to sign Red Hat Enterprise Linux packages [and vice versa].”