Red Hat have released a security advisory detailing an intrusion on their servers. The attacker apparently managed to sign some compromised OpenSSH packages.
There is a parallel Fedora announcement, and although it seems that Fedora wasn’t affected they are issuing new package signing keys as a precaution. Red Hat use a hardware device for signing their packages, so they can make sure no further compromised packages can be created without having to re-distribute new signing keys.
Red Hat Network wasn’t compromised, so although the signed packages were created, there is no risk to those whose only means of obtaining packages is via RHN (ie, most Red Hat users).
Whilst there certainly isn’t any need to panic, this is sure to cause concern amongst those running Red Hat.
