A few days ago, Red Hat, Inc., announced that an intruder had broken into some of their systems and possibly compromised some important software packages. The most significant among them is OpenSSH--a secure method of connecting to a remote Linux system.
Red Hat quickly took the systems offline to investigate the damage and found that one of their Fedora systems had been breached. This server is used to sign packages for distribution amongst the various mirrors and networks for download. Package signing assures the end user that the package is genuine and free of harmful code.
Thus far, Red Hat has found no conclusive evidence that any of their package signatures were compromised and are confident that their packages are safe to use for your systems. To strengthen their position, they have created updated OpenSSH packages that are certified as safe and secure and free of any malicious code.
CentOS, based on Red Hat Enterprise Linux source RPMs, checked their code for vulnerabilities and found none. CentOS runs their own distribution network and provides independently checked software for users. Security and stability are high priorities for the CentOS team.
Earlier this year, CentOS announced that there was, in fact, a security breach with the Debian OpenSSL package code that prevented the software from gaining enough entropy (randomness) for its random number generator (RNG). The affected package version in that vulnerability is 0.9.8c-1.
To check your version of OpenSSH and OpenSSL, connect to your Linux system and issue the following command:
rpm -qa |grep open
This command gives you a listing of all packages named open* and their version numbers.
To assure that you maintain and up-to-date system, you need to install up2date or create a crontab entry to run yum update at least once a day.
Security vigilance and maintenance are ongoing issues in all environments. You must keep your systems up-to-date and stay aware of security vulnerabilities that may negatively affect you and your users.