Mailinglist Archive: opensuse-security (9 mails)

< Previous Next >
Re: [opensuse-security] Failed digest verification with package updates from build service projects
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Fri, 26 Mar 2010 09:05:16 +0100
  • Message-id: <201003260905.16605.ludwig.nussel@xxxxxxx>
Hans-Peter Jansen wrote:
Given, that both originate from the same project and both are critical
from a security POV, I _am_ worried about this behavior. Is there
somebody tampering with those packages?

It gets stranger and stranger: for some reason, the verification for
libcurl4 succeeded in another attempt:

download.opensuse.org redirects to mirrors. Maybe one of them has a
corrupted package. I don't know if zypper has options to print
redirects. You could try fetching the file manually using wget to
see which mirror was used though.

Now that version binds against libssh2, which wasn't installed
obviously. With the unfriendly result of:

# zypper
zypper: error while loading shared libraries: libssh2.so.1: cannot open
shared object file: No such file or directory

Just don't press 'i' ie 'ignore' if zypper prompts you to avoid such
errors :-)

@crrodriguez: the whole issue might be a red herring, but let's face it:
such moves need a bit more verbose description, and given, that these libs
crept into my system via devel:/languages:/python, while they flag themself

Distribution: devel:libraries:c_c++ / openSUSE_11.1

doesn't raise users confidence. In fact, it keeps smelling fishy...

There's an _aggregate file in devel:languages:python/curl that copies curl
binaries from devel:libraries:c_c++ to avoid rebuilding curl in
devel:languages:python too.

cu
Ludwig

--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups