Hello,
RedHat recently put up a security errata announcement for openssh.
https://rhn.redhat.com/errata/RHSA-2008-0855.html
This announcement was different than most because it tells of an intrusion on 
it's computer systems.  And then the following

"In connection with the incident, the intruder was able to sign a small
number of OpenSSH packages relating only to Red Hat Enterprise Linux 4
(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only). As a precautionary measure, we are releasing an
updated version of these packages, and have published a list of the
tampered packages and how to detect them at
http://www.redhat.com/security/data/openssh-blacklist.html "

Note that this says that only binaries (compiled) rpm's were signed.  It does 
not say that any of the source rpm's were affected.  Because Scientific Linux 
recompiles and creates our own binary rpm's from the source rpm's, our binary 
rpm's were not affected.

As an extra precaution, I have just gone through our openssh source and done 
comparison's of each file with both older, newest, and the openssh src.rpm that 
was in question.  And everything is ok.
There was no difference in any files except the spec files.
The spec files were only changed in known, consistant ways.
The newer src.rpm's had more patches, for bug and security fixes.  All of these 
patches were documented on RedHat's site, and in the changelogs.

I am very confident in saying that our version of openssh was NOT compromised.

We will be pushing out the updated openssh from RedHat later today, but that is 
because there was a minor security update for it.  Not because we feel that our 
version of openssh was compromised.

Thank You
Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________