[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files
Mike Johnson
mike at enoch.org
Thu Aug 1 13:03:46 EDT 2002
Mike Mueller [mjm-58 at mindspring.com] wrote:
> Would the problem have been caught if the MD5s were checked, or were the
> checksums compromised as well? If the checksums were compromised, then can
> anything anywhere be trusted?
The MD5s were distributed. That's how the ports system works. You get
a tarball with descriptions on how to build the packages from source,
including MD5's. Those MD5's were usually downloaded well before the
build.
For instance, I download the ports tarball and install that. A few days
later, I decide I want OpenSSH. I then tell the system to download and
build from source. It downloads the tarball and compares it to the MD5
from the ports tarball. If no match, no compile.
Also, the ports tarball could have come from any number of mirror sites.
Basically, depending on timing of your download of the ports tarball,
you'd be safe from this sort of thing.
Mike
--
"Let the power of Ponch compel you! Let the power of Ponch compel you!"
-- Zorak on Space Ghost
GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020801/175ade16/attachment.pgp>
More information about the TriLUG
mailing list