Red Hat remains highly confident and further believes that customers who keep their systems updated using Red Hat Network are not at risk.
To verify that your system is not affected please follow the steps outlined at the OpenSSH Blacklist Announcement:
To use the GPG signature key to verify the integrity and authenticity of the scripts please follow the instructions below:
Download the Red Hat Security Response Team public key:
wget -c https://www.redhat.com/security/650d5882.txt
Import the Red Hat Security Response Team public key:
gpg --import 650d5882.txt
Verify the script signature matches that of the Security Response Team:
gpg --verify openssh-blacklist-1.0.sh.asc
Please note you will need to have downloaded the openss-blacklist-1.0.sh.asc file as provided on the OpenSSH Blacklist Announcement page.
Successful verification is indicated as:
gpg: Signature made Fri 22 Aug 2008 05:02:29 AM EDT using DSA key ID 650D5882 gpg: Good signature from "Red Hat, Inc. (Security Response Team) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882
The primary key fingerprint will match the public key fingerprint provided at: https://www.redhat.com/security/team/key/
Note: The "WARNING" output is expected, and does not invalidate the verification.
The key came from an HTTPS Red Hat site that is itself signed by Red Hat and can be confirmed by the web browser.