Just about the most serious breach of security possible at an OS vendor happened to this company. Red Hat is releasing updated OpenSSH packages to address the compromise of its internal systems.

In perhaps the most appalling breach of security at a major operating system vendor, Red Hat has revealed that a compromise of its internal systems included the digital signing keys for its distributions. An Aug. 22 advisory from Red Hat announces new OpenSSH packages to deal with the problem:

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/openssh-blacklist.html.

In other words, the attacker was able to sign files with Red Hat’s keys. Presumably these were not benign versions he signed. Red Hat stresses that there is no evidence that any such hacked copies got out through its normal distribution channels to its own customers, but it’s possible that some mirrors picked up the code.