Mailinglist Archive: opensuse-security (9 mails)

< Previous Next >
Re: [opensuse-security] Failed digest verification with package updates from build service projects
  • From: Peter Pöml <peter@xxxxxxxx>
  • Date: Fri, 26 Mar 2010 14:52:06 +0100
  • Message-id: <08656125-9066-4C80-B41F-FFB35C645E90@xxxxxxxx>

Am 26.03.2010 um 09:05 schrieb Ludwig Nussel:

Hans-Peter Jansen wrote:
Given, that both originate from the same project and both are critical
from a security POV, I _am_ worried about this behavior. Is there
somebody tampering with those packages?

It gets stranger and stranger: for some reason, the verification for
libcurl4 succeeded in another attempt:

download.opensuse.org redirects to mirrors. Maybe one of them has a
corrupted package. I don't know if zypper has options to print
redirects. You could try fetching the file manually using wget to
see which mirror was used though.

zypper doesn't have such options. (It should... so users could report problems
in a way that makes it possible to easily fix them... but well. We haven't.)

But you can check the hashes that the server provides. They are listed in the
Metalink of each file, e.g.
http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_11.1/i586/samba-client-3.5.1-5.1.i586.rpm.metalink
Those hashes are authoritative and independent of mirrors. Since the Metalink
also lists the mirrors, it's trivial to check if a mirror delivers different
content. (Consider though that not all problems are apparent immediately; some
occur only sometimes.)

aria2c automatically uses this information to download correct content. That's
why openSUSE 11.2 uses aria2c as downloader.

In the near future, it'll be possible retrieve the hashes simply by appending
.sha256, .sha1 or .md5 to an URL.

Now that version binds against libssh2, which wasn't installed
obviously. With the unfriendly result of:

# zypper
zypper: error while loading shared libraries: libssh2.so.1: cannot open
shared object file: No such file or directory

Just don't press 'i' ie 'ignore' if zypper prompts you to avoid such
errors :-)

Good one ;-)

Peter


--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
List Navigation