[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files
Jonathan Rippy
jonathan.rippy at interpath.net
Thu Aug 1 13:02:47 EDT 2002
Personally, I think the developers should GPG sign the
valid distributions. Then, the tool could verify the signatures.
Does any distro do this? (I'd assume some do ... not sure off
the top of my head.)
Mike Mueller wrote:
> On Thursday 01 August 2002 12:11, Brian Daniels reputedly wrote:
>
>>>>1. Systems affected:
>>>>
>>>>OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
>>>>OpenBSD ftp server and potentially propagated via the normal mirroring
>>>>process to other ftp servers. The code was inserted some time between
>>>>the 30th and 31th of July. We replaced the trojaned files with their
>>>>originals at 7AM MDT, August 1st.
>>>>
>>...
>>
>>
>>>>When building the OpenSSH binaries, the trojan resides in bf-test.c
>>>>
>><snip>
>>The _really_ scary question is how they got into openbsd.org, and what else
>>did they mess with?
>>
>
> Would the problem have been caught if the MD5s were checked, or were the
> checksums compromised as well? If the checksums were compromised, then can
> anything anywhere be trusted?
>
--
jonathan rippy
More information about the TriLUG
mailing list