Slashdot Mirror

KVM is even better, it has all the really cool stuff that virtualbox and vmware hold behind locked doors, live live migrations, multiple clients, and its going to get alot better.

for a GUI see virt-manager

root [your boot partition]
kernel /vmlinuz-fc10install
initrd /initrd-fc10install.img

root [your boot partition]
kernel /vmlinuz-fc10install
initrd /initrd-fc10install.img

He really needs to look at K12LTSP and get on the mailing list for this question. It has been asked quite a few times in the last seven years.

who cares about ext4 when the release name is Leonidas http://www.redhat.com/archives/fedora-devel-announce/2009-January/msg00004.html

Excellent. This will be a great feature for F11. Now, if they could just get Fedora 10 booting with an nvidia fakeraid, I'd be happy. And, fix the performance issues with intel GMA graphics, that'd be dandy too.

Fedora is my favorite distro, but this fakeraid bug is ridiculous -- keeping me from running F10 on my desktop. Sure runs nicely on my Samsung NC10, though.

Excellent. This will be a great feature for F11. Now, if they could just get Fedora 10 booting with an nvidia fakeraid, I'd be happy. And, fix the performance issues with intel GMA graphics, that'd be dandy too.

Fedora is my favorite distro, but this fakeraid bug is ridiculous -- keeping me from running F10 on my desktop. Sure runs nicely on my Samsung NC10, though.

Red Hat, on the other hand, primarily sells a service. Their products, including an extended open-source operating system that they didn't spend that much on development for (relatively), are really just vehicles to get support contracts.

Yes Redhat sells a service however you need to qualify what that service involves. If you purchase a service from Redhat you get normally pick from three types, 1) Web Based 2 day response (the cheapest), 2) 12x5 telephone support and 3) 24x7 telephone support. See the following prices .

What this means is Redhat must provide professionally trained service personnel who provide support over the phone by diagnosing and solving quite complex problems on all supported versions of the Rehat OS's. This type of service does not come cheap particularly when you consider that Redhat is a world wide organisation and they have to deal with customers from all over the world some who don't even speak English.

I don't know if you have ever attended any of the Redhat courses, if you have you will know they are not easy so you can't get anyone off the street to provide Redhat support.

They're both public...

Sun

Red Hat

I take it you you've never heard of FreeIPA?

FreeIPA an open source project from Red Hat's Emerging Technologies Lab. It combines Kerberos, LDAP, DNS, NTP and provides a centralized webUI (CLI utils too) to manage it all. As well as simplified install packages for both the server and clients.

http://www.freeipa.org/

Or if you want commerical support, Red Hat has their subscription re-spin of the product available too.

http://www.redhat.com/promo/ipa

The next version due out this spring is planning to include things like full AD integration, centralized sudo and SELinux policy management, etc.Have a look at the roadmap on the freeipa website.

First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced.

I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?

There is a reason why they paid 23$ millions for it...

And the reasons are?

Then, AD isn't just a LDAP server with usernames and passwords....

Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.

Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.

Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.

This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.

Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.

In my previous post I forgot to mention that OGC/Becta are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.

First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced. There is a reason why they paid 23$ millions for it...

Then, AD isn't just a LDAP server with usernames and passwords....

Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks. Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

I strongly disagree with you about the Microsoft deal. And I'm not particularly fond of Mono either -- and I don't understand Miguel de Icaza's absurd obsession with anything that comes out of Redmond (see: Moonlight, for example).

Secondly, I just checked, and you can download a free copy of Mandriva.

Okay. I didn't know that.

Guess what you cannot get for free from Canonical? Support that does not involve an IRC channel or message board.

Neither can you from Red Hat or Novell, I would suspect...

Canonical also charges more for a single support license than Red Hat or Novell.

I don't care what Canonical charges! I'm not interested in buying any support contracts. I merely replied to your point about why Ubuntu was getting so much attention, and now it feels like I'm expected to defend Canonical's business desicions all of a sudden :-)

Fedora is Red Hat's declared desktop strategy, and the latest edition (Fedora 10) is excessively easy to install and use, and *just works,* under the same definition of "just works" that the Ubuntu fans use. Fedora is as suitable for "regular users" as Ubuntu is

On http://www.redhat.com/software/rhelorfedora/, Fedora is described as being something you should use if you are a "Developer or highly technical enthusiast".

(And I thought "just works" was a GNOME motto that Ubuntu adopted? Maybe I remember incorrectly.)

So your argument basically amounts to this: Novell and anything they sponsor is bad, because they have a deal with Microsoft,

Something like that :-)

except when you need something they put a lot of work into like Mono, in which case it is OK,

I don't care about Mono. Mono could die tomorrow and it wouldn't concern me.

Mandriva is bad because they used to charge for some packages,

I didn't know it was free of charge now. I still wouldn't choose to run it, though. But I didn't say it was "bad", I just replied to your question about why Ubuntu was getting so much attention.

and Fedora is not suitable for end users because you said so.

No, because Red Hat said so! Big difference.

But Ubuntu is OK because it is free, not involved in a Microsoft deal

I'd throw in "and Debian-based", which I happen to like a lot, but yeah :-)

, and never mind the fact that they just rebrand the work of everyone else.

Why all the Ubuntu-hating? It's a nice distro. You're making it sound like I hate Fedora or Red Hat! I don't! I'm fully aware of their MASSIVE contribution to the GNU/Linux desktop! I support them! I'd own shares in Red Hat if I could afford to buy any! All I'm saying is that Ubuntu is the distribution I choose to install on the machines of my family/girlfriend/friends/etc., because it's nice and neat and polished and just works.

One that includes an image-casting process that allows 100s of computers to be managed (deployed, updated, etc.) from a central console (PXE boot, the works).

Then you might want to take a look at RedHat Satellite or RedHat Spacewalk. Debian has a similar project called FAI - Fully Automated Installer.

I've seen a managed environment of over 1000 servers in RH Satellite done by about 6 people (including developers extending the Satellite default capabilities), impressive. Spacewalk is kind of the next generation of Satellite, but completely free (and thus only community supported). FAI is used for rollout of small and big projects alike, they have an acknowledgement section on their site where you can look around.

(Blatant plug, but it's all open source software so what the heck ...)

Don't forget Red Hat's KVM. Been part of the Linux kernel for about 2 years, and now supports pretty well all the "enterprisy" virtualization features you could need.

And Red Hat are developing a nice GUI management interface which scales to managing 1000s of nodes.

Rich.

http://www.redhat.com/docs/manuals/linux/RHL-6.2-Manual/getting-started-guide/index.html

Copyright © 2000 by Red Hat, Inc.

http://www.redhat.com/docs/manuals/linux/RHL-6.2-Manual/getting-started-guide/s1-managers-kfm.html

"Show Thumbnails -- If you have images in a directory, selecting this option will show you tiny representations of them. This view is useful if you keep family photos or artwork."

--
BMO

http://www.redhat.com/docs/manuals/linux/RHL-6.2-Manual/getting-started-guide/index.html

Copyright © 2000 by Red Hat, Inc.

http://www.redhat.com/docs/manuals/linux/RHL-6.2-Manual/getting-started-guide/s1-managers-kfm.html

"Show Thumbnails -- If you have images in a directory, selecting this option will show you tiny representations of them. This view is useful if you keep family photos or artwork."

--
BMO

this is what the red hat bugzilla is for https://bugzilla.redhat.com/ bugs. or perhaps the fedora forums http://fedoraforum.org/ or perhaps #fedora on freenode.

Not a windows story on slashdot, because posting about it here is not really going to get it fixed...

devices that support IPv6 but don't have IPv6 connectivity may mistakenly try to do IPv6 first and time out. This was a problem with Mac OS X briefly,
 
And is (apparently) currently an issue with Fedora 10.

With Red Hat you can go to a website and it will list all your systems and whether they need patching.

Again, Where is the download link of RHEL ?

ftp://ftp.redhat.com/pub/redhat/linux/enterprise

I haven't been firmly convinced either way, but their stance seems to be that Novell is basically Microsoft's sleeper agent, and that the OSS world would be better off if they just disappeared tomorrow, even though that would mean some of the less-evil things they're doing would stop, than if they continue. I.e., they think the continued existence of Novell, taken as a whole in its current form, is a bad thing.

Seeing as Novell has been acting as M$agent provocateur for some time, it seems that Novell is by far doing more harm than good. Developers and hangers-on alike in projects that Novell gets involved end up denial-of-serviced. This is done by all the petty arguments Novellers stir up in their pursuit of injecting M$ proprietary technology in to FOSS projects.

So on the whole, the FOSS world would be better off if Novell just disappeared tomorrow. Come to think of it, so would the rest of industry.

In contrast, if you want to see the model of a strong contributor to FOSS look at Red Hat.

at least for some distros (primarily redhat heritage, also some suse capabilities) there's http://dag.wieers.com/home-made/mrepo/

there's also http://www.redhat.com/spacewalk/, the recently opensourced satellite spinoff - but it still requires oracle as a backend, so screw that ;)

Sure would be nice to have them. I suppose the gcc maintainers would never admit to someone from the openbsd group knowing what they're doing, though.

That belongs into (g)libc, not into the compiler. It's Ulrich Drepper who is blocking it (see this thread on the glibc mailing list).

I assume it's the same as this bug: Red Hat bug 468107 - gdm buttons don't work at first.

Do you know the upstream bug number?

This would be a start: http://www.redhat.com/promo/ipa/

I don't know about "never". This sounds suspiciously close to being an anti-defrag apologist. (Don't feel bad. I used to be one, too. :-)

Ext4 is adding support for online defragging, and an 'e4defrag' program to do just this. Redhat claims performance gains of 25% for a single 1GB file, and 29% for accessing all files in the Linux source.

I suppose I don't technically *need* that, but if my hard drives can get a 25% speed boost for a kernel upgrade, I'll sure take it.

Couldn't this be a case where *both* sides are partially right? Microsoft filesystems could be better designed. Linux filesystems could use a defragger. I'm certainly not too proud to admit defragging is a good idea!

Red Hat marketing may not acknowledge point releases, but they do indeed exist. And CentOS tracks 'em. That's why I know. (Too cheap for RHEL, too lazy for Fedora. I use Kubuntu for desktops, but the server has always been in the Red Hat lineage.)

Yes and no. If you have a newer EeePC with an atl2e chip, Atheros posted an atl1e driver (which also drives atl2e) and that has been merged in 2.6.27. If you have an older EeePC with an atl2 chip, I didn't start getting new patches from Atheros for that driver until *after* they posted atl1e, so that's queued up for 2.6.28. Most distros currently use the pre-merge atl2 driver, or you can download it from http://people.redhat.com/csnook/atl2/

The good news is that Atheros is committing to much more active upstream involvement going forward, so we can expect more timely support of new hardware from them in the future.

Have they fixed the aacraid driver yet? The new kernel doesn't do me a bit of good if all I get on boot is a continuous stream of:

aac_srb: aac_fib_send failed with status: 8195

and my disk array is not recognized.

http://lkml.org/lkml/2008/5/12/365

https://bugzilla.redhat.com/show_bug.cgi?id=450444

http://bugs.gentoo.org/show_bug.cgi?id=233364

http://bugs.centos.org/bug_view_advanced_page.php?bug_id=2911

http://marc.info/?l=linux-kernel&m=122166454808377&w=2

http://linux.derkeiler.com/Mailing-Lists/Kernel/2008-10/msg02493.html

Arguably RH is the authority on the subject... See their documentation here.

-m

Amazon has been beta testing running Windows servers on EC2, and from what I've heard from Amazon, one of the challenges is creating a Microsoft license that will allow Microsoft to capture revenue from this and similar projects elsewhere.

I wouldn't be surprised if they used a business model similar to Red Hat's cloud image, where Red Hat gets a tiny payment for every hour the server is running.

Mostly correct. Netscape made money selling their horrid web server in corporate environments. They were giving the browser away for free for non-commercial users. If the truth were told, back when Netscape was a relevant browser, most of my coworkers were grabbing the free, non-commercial version and installing it at work. And Netscape didn't really care, as they were giving away their browser in order to drive sales of their server. Netscape's server arm survived for a loooong time, finally becoming the basis for Sun's application server. IIRC, only the newest version of Sun's app server (i.e. 9.x aka GlassFish) doesn't directly trace it's roots to Netscape/iPlanet. And let's not forget Netscape Directory Server. Or, as it's known today, RedHat Directory Server. During the dot-com era, it was one of the better LDAP implementations.

I have actually not had a flash crash in my whole Linux experience that started when I installed breeze on 2006...

I mean, really... Is this whole stuff about flash crashing just plain hysteria? Or is it someone that happened to some guy and Linux basher everywhere just repeat like parrots?

Yeah. You might have heard of him... check out Linus Torvalds' Fedora 9 flash issue on Red Hats bugtracker, titled "youtube no workee":

Description From Linus Torvalds 2008-03-31 15:37:13 EDT

Description of problem:
youtube no workee - fedora 9 not usable for wife

Version-Release number of selected component (if applicable):
swfdec.x86_64 0.6.2-1.fc9
swfdec-gtk.x86_64 0.6.2-1.fc9
swfdec-mozilla.x86_64 0.6.0-1.fc9

How reproducible:
I didn't try a lot of videos, but I couldn't find a single one that actually worked. And what's the internet without the rick-roll?
Some just show a light gray background, some give the play buttons etc, but show only a black screen even when the red ball at the bottom moves along..

Steps to Reproduce:
1. Install current Fedora 9
2. Rick-roll!
3. No profit!

Actual results:
Some videos just show a light gray background, some give the play buttons etc, but in the latter case show only a black screen even when the red ball at the bottom seems to moves along..

Expected results:
Rick Astley in all his glory! People have reported that youtube videos are supposed to work with swfdec, so I presume they have worked at some point and have been broken recently.
Just to test that this isn't just a anti-rick-roll security feature, I also tested some other videos, but let's face it - we do need Rick for the "Full Internet Experience".

Additional info:
This is "high" priority because the wife will kill me if she doesn't have her videos. And the adobe player won't install on current rawhide due to some library issues.

"Obi-wan Kenobi, you're our only hope"

Posting AC because I already modded in this thread, but thought that this should be pointed out.

RedHat specifically said that packages obtained through RHN were safe. Do you get all your packages through RHN?

http://www.redhat.com/security/data/openssh-blacklist.html

They also said that if you detected blacklisted packages on your system, to contact RedHat support by either opening a ticket, calling your local support center or contacting your Technical Account Manager. Did you?

It's not absolutely clear to me whether or not the blacklisted packages have been trojaned or not, but it is clear that all updates obtained through RHN are safe.

What would be interesting to know is how exactly did you get your blacklisted packages installed on your system? Did you get them through RHN or some other channel?

https://www.redhat.com/archives/fedora-devel-list/2008-September/msg00842.html

In due time you can probably expect a more complete picture of what happened. I think the "Fedora/RedHat keeps us in the dark" view is overly alarmist.

I would have phrased it differently: The issue isn't fully known, thus there's a problem.

There's been quite a lot of time.

That's true. The issue is can you say confidently that disclosure of the problem wouldn't put users at risk?

That's the only reasonable reason for the delay that I can see. Since these guys are usually quite reasonable I'm making the assumption that's what's going on (or something I've completely missed). It may turn out my trust was misplaced - we should know shortly. Jessee Keating just announced updates are going out to the mirrors since I last posted.

OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement, along with tools to detect packages with the attackers' signature. Big deal.

Seriously, what else is there to be known about it?

Yeah, say whatever you want, but it's not as if Debian never had its servers compromised in a similar fashion, and never had to perform some PR damage control.

Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.

I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.

I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?

This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.

OK, some servers got hacked, the attackers didn't inject rogue packages into the repository servers so no customers/users were affected. Red Hat/Fedora responded by auditing everything and releasing a statement, along with tools to detect packages with the attackers' signature. Big deal.

Seriously, what else is there to be known about it?

Yeah, say whatever you want, but it's not as if Debian never had its servers compromised in a similar fashion, and never had to perform some PR damage control.

Unlike Debian, Red Hat is a publicly traded company with a whole bunch of customers with signed SLAs. Handling such matters without press trolls all rolling over it spreading FUD and causing unnecessary panic is _not_ an easy task, as can be beautifully shown by TFA.

I respectfully disagree with Bruce Perens. The Debian OpenSSL fiasco was so much more serious, damaging and dangerous to users all over the world, it's not even fair to compare. We're talking about millions of known networks and sessions compromised in Debian over a year and a half period, versus none in Red Hat over a week.

I appreciate how Debian acted _after_ the fact, but was there any other way to handle such a terrible mishap?

This is not about flawed Open Source policies, this is about seriously flawed journalism, where conspiracy theories are used to make a story where there is none.

This seems to be, from reading the Fedora and Red Hat statements, an ongoing investigation. The same way the police don't comment about investigations in progress, Red Hat is keeping mum. Keep in mind, the breach may be very complex and not something that they can confidently say "we understand" without a very detailed analysis.

They announced the issue immediately and took steps. For now, give them the benefit of the doubt that further details will be forthcoming once a proper investigation has been completed.

This seems to be, from reading the Fedora and Red Hat statements, an ongoing investigation. The same way the police don't comment about investigations in progress, Red Hat is keeping mum. Keep in mind, the breach may be very complex and not something that they can confidently say "we understand" without a very detailed analysis.

They announced the issue immediately and took steps. For now, give them the benefit of the doubt that further details will be forthcoming once a proper investigation has been completed.

Solaris has cachefs, which is a supported local NFS cache. Quick googling suggests AIX has something too

Linux has this: http://people.redhat.com/~dhowells/cachefs/
which appears to be actively developed although does not appear to be in the mainline kernel.

Ah but this guy is a fan of many things. You should have seen this guy's emails to Apple (fruit fan), Sun (solar fan), Red Hat (hat fan) and Pedia (I'm sure you get the idea)!

Most people learn in kindergarten that just because you can get away with doing something wrong doesn't mean you should.

People, yes, not companies. Corporations are pretty much required to do anything they can to extract profits, so long as it's legal. Filing a patent like this might be stupid and selfish, but it's certainly not illegal.

Of course that doesn't entirely let MSFT off the hook. They could do as Red Hat do: file patents but at the same time work to fix the broken system.

Rich.

No they don't support it. I've had many, many conversations with distributors over the years about this topic. It "works" simply because of the way the tools are constructed. But they provide absolutely no guarantees that your app won't break tomorrow with some update they push, and are completely unwilling to make any such guarantees.

That's not true. Distributions guarantee that they will support certain standards in terms of having a minimum number of common dependencies installed in specific locations -- see the LSB -- and enterprise distributions guarantee binary compatibility between libraries in point releases and upgrades. As such, 3rd-party packagers who rely on these guarantees are indeed safe -- any any breakage caused would be accepted by the distributor as a bug. Keep in mind: Enterprise Linux distributions are intended to be used with 3rd-party software, both internal to the customer and sold by commercial vendors. Breaking binary compatibility wantonly is in nobody's best interests.

Finally, enterprise vendors do guarantee a stable ABI for the life of their product; that's part of why you buy (or use a derivative of) an enterprise distribution.

they won't support a system that doesn't have the latest updates

I am a Tech Support Engineer at Red Hat. Your statement is incorrect.

We do provide support for older packages (assuming you are running a RHEL version that isn't over 7 years old and even then we usually provide best effort support). However if you hit a known bug when running package version X and we have released a fix in version Y we'll ask you to upgrade to version Y and won't provide a version X.y just for you. Well, you can still apply patch from Bugzilla and compile your own X.y but we can't provide real support for that. Of course, if you get into troubles when upgrading to version Y we'll support you (and provide version Z if you hit another bug).

Now, when we need to quickly find the cause of a problem (and a workaround and a proper fix) it is not unusual to ask if you can reproduce it with latest version, especially with complex packages that change quickly (like the kernel) but we understand this is not always practical and we surely don't systematically ask you to upgrade to latest version.

Hey, looking at the official Bugzilla page for this bug :

https://bugzilla.redhat.com/show_bug.cgi?id=379791

(scroll down to the bottom)

It looks like RedHat is using the exact test package I and a co-worker of mine put together that illustrates this issue. And clearly RH has a Perl build in house that completely fixes this issue.

Look forward to a complete fix soon folks!!!

-CJ

It seems that there is still a problem with RedHat's packaged perl 5.8."8"**. RedHat seem to have an aggressive policy of incorporating pre-release changes in their released production code. This would not be so bad if they actually communicated back with upstream (i.e. me and the other people on the perl5-porters mailing list), or demonstrated that they had sufficient in-house knowledge that they didn't need to. But evidence suggests that neither is true, certainly for 5.8.x

Let me stress that there has never been this problem in any released Perl, 5.8.7, 5.8.8, 5.10.0, and it won't be in 5.8.9 either when it comes out. The problem was caused by changes I made in the 5.8.x tree that RedHat integrated. End users reported the first bug something like 2 years ago, and RedHat closed it as "upstream patch" rather than reporting back "you know that pre-release change you made, that we integrated - well, it seems to have some problems"

(...)

For their versions affected, RedHat merely need to put out a patch integrating changes 31996, 32018, 32019 and 32025 which FIX IT, are documented as FIXING IT, and are from NOVEMBER 2007.

Each license bought allows for tech support from Microsoft. Is there any such tech support from open source developers?

Of course there is.
https://www.redhat.com/apps/support/
http://www.ubuntu.com/support/paid
http://www.novell.com/support/product/products.do
http://www-03.ibm.com/linux/prod_svc.html ....

Our RHEL5/x86_64 system has been affected by this problem: I have ran the script from Red Hat openssh blacklist page, and found that all four openssh packages (openssh, openssh-clients, openssh-askpass, openssh-server) had their checksum on the blacklist. I took the server down, created a backup snapshot of the root disk, and I am currently reinstalling it, while checking other volumes and the root volume snapshot for any signs of intrusion.

The most annoying thing is that Red Hat remains silent on the main problem: what the compromised packages contained, how to determine whether the possible attacker exploited the access offered by those packages or not, when exactly were the packages signed, what other precautions to do on other servers (notify users which use the same password as on a compromised server, check for other modified binaries, etc.). I have verified that I had a trojanized binaries on my system, but apart from that, it is not clear what else the possible attacker managed to do.

Red Hat says the packages were not distributed over RHN, so I wonder how I got them. I had another repository in my yum.conf: rpmforge. Maybe this was the source of the malware. My syslog (even a copy on a syslog server) did not say anything about upgrading openssh in the last month or so. However, on Aug 15 it upgraded the YUM RHN plugin. On the same day our dovecot stopped responding, saying the time went backwards (and yes, there was time move several weeks back and then forward, according to dovecot log). Also the rpm -qi said the package was built on Aug 13 13:13:03, and signed five minutes later. However, the install time reported by rpm on my system was July 25 (which would corelate with the time slip reported by dovecot).

Did anybody else met the trojanized openssh mentioned in the advisory? Please share your findings.

Posting as AC for obvious reasons, sorry.