They've finally posted an update on the situation, here
... based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.
Among our other analyses, we have also done numerous checks of the Fedora package collection, and a significant amount of source verification as well, and have found no discrepancies that would indicate any loss of package integrity. These efforts have also not resulted in the discovery of additional security vulnerabilities in packages provided by Fedora.
Bottom line for Fedora users: Yes, there was a security breach at Fedora. One of the systems breached was the system they use to apply digital signatures to official Fedora packages. It does not appear that the signing key was accessed, but they have changed it as a precaution. The official package repositories have not been compromised.
It appears that RHEL servers experienced a similar breach
, resulting in the possibility that a small number of packages obtained through third parties may contain what appears to be a legitimate Redhat digital signature, when in fact the package is not legit:
... we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.
In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at http://www.redhat.com/security/data/ope ... klist.html
Bottom line for RHEL users: Don't install any updates to the OpenSSH package that didn't come from a trusted source, even if the package appears to be legit (has a valid digital signature). Official package repositories have not been compromised.
Scary stuff. This sounds like a very deliberate (and sophisticated) attempt to compromise servers running RHEL in the field, by trying to trick administrators to install an OpenSSH package which has been tampered with (but appear to be a legit Redhat package).
The years just pass like trains. I wave, but they don't slow down.
-- Steven Wilson