On Thursday 25 March 2010, 18:34:30 Hans-Peter Jansen wrote:
Hi,
apart from many connection failures to download.opensuse.org, e.g.:
Retrieving package samba-client-3.5.1-5.1.i586 (145/164), 21.0 M (76.9 M unpacked) Retrieving: samba-client-3.5.1-5.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUS E_11.1/i586/samba-client-3.5.1-5.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: samba-client-3.5.1-5.1.i586.rpm [done (1.7 M/s)] Installing: samba-client-3.5.1-5.1 [done] Additional rpm output: warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew Updating etc/sysconfig/network/dhcp...
and
Retrieving package perl-DBI-1.609-9.1.i586 (131/164), 760.0 K (2.0 M unpacked) Retrieving: perl-DBI-1.609-9.1.i586.rpm [error] Download (curl) error for 'http://download.opensuse.org/repositories/devel:/languages:/perl/openSUS E_11.1/i586/perl-DBI-1.609-9.1.i586.rpm': Error code: Connection failed Error message: couldn't connect to host
Abort, retry, ignore? [A/r/i]: r Retrieving: perl-DBI-1.609-9.1.i586.rpm [done] Installing: perl-DBI-1.609-9.1 [done]
that are circumvented with retrying, I get really disconcerting failures like:
Retrieving package libssh2-1-1.2.4-3.1.i586 (14/16), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (15/16), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Digest verification failed for libcurl4-7.20.0-33.1.i586.rpm. Expected ef235bb05c155b78659bc3356b88f4a88b255e20, found d37f038a4f933efbdb10bc73cfb93946750420c6. Continue? [yes/NO]: Failed to provide Package libcurl4-7.20.0-33.1. Do you want to retry retrieval?
[devel_languages_python|http://download.opensuse.org/repositories/devel:/ languages:/python/openSUSE_11.1/] Can't provide file './i586/libcurl4-7.20.0-33.1.i586.rpm' from repository 'devel_languages_python' History: - libcurl4-7.20.0-33.1.i586.rpm has wrong checksum
Abort, retry, ignore? [A/r/i]: i
Given, that both originate from the same project and both are critical from a security POV, I _am_ worried about this behavior. Is there somebody tampering with those packages?
It gets stranger and stranger: for some reason, the verification for libcurl4 succeeded in another attempt: The following package is going to be upgraded: libcurl4-7.20.0-33.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service) The following NEW package is going to be installed: libssh2-1-1.2.4-3.1.i586 (Python and Python Modules (openSUSE_11.1), openSUSE Build Service) Overall download size: 228.0 K. After the operation, additional 183.0 K will be used. Continue? [YES/no]: committing Retrieving package libssh2-1-1.2.4-3.1.i586 (1/2), 63.0 K (155.0 K unpacked) Retrieving: libssh2-1-1.2.4-3.1.i586.rpm [done] Digest verification failed for libssh2-1-1.2.4-3.1.i586.rpm. Expected 79e86e50140dfba4a5518d9b56aa265d11118457, found 6eae9b5a01ea7ce6549733b65776618d87513452. Continue? [yes/NO]: Failed to provide Package libssh2-1-1.2.4-3.1. Do you want to retry retrieval? [devel_languages_python|http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_...] Can't provide file './i586/libssh2-1-1.2.4-3.1.i586.rpm' from repository 'devel_languages_python' History: - libssh2-1-1.2.4-3.1.i586.rpm has wrong checksum Abort, retry, ignore? [A/r/i]: i Retrieving package libcurl4-7.20.0-33.1.i586 (2/2), 165.0 K (347.0 K unpacked) Retrieving: libcurl4-7.20.0-33.1.i586.rpm [done] Installing: libcurl4-7.20.0-33.1 [done] committingCommitResult 2 (errors 0, remaining 0, srcremaining 0) Now that version binds against libssh2, which wasn't installed obviously. With the unfriendly result of: # zypper zypper: error while loading shared libraries: libssh2.so.1: cannot open shared object file: No such file or directory Indeed: # ldd /usr/bin/zypper linux-gate.so.1 => (0xffffe000) libzypp.so.523 => /usr/lib/libzypp.so.523 (0xb7363000) libreadline.so.5 => /lib/libreadline.so.5 (0xb732b000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7237000) libm.so.6 => /lib/libm.so.6 (0xb720e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb71fe000) libc.so.6 => /lib/libc.so.6 (0xb70a2000) librt.so.1 => /lib/librt.so.1 (0xb7098000) libpthread.so.0 => /lib/libpthread.so.0 (0xb707e000) libutil.so.1 => /lib/libutil.so.1 (0xb707a000) libdbus-1.so.3 => /lib/libdbus-1.so.3 (0xb7038000) librpm-4.4.so => /usr/lib/librpm-4.4.so (0xb6fa1000) libhal.so.1 => /usr/lib/libhal.so.1 (0xb6f8e000) libhal-storage.so.1 => /usr/lib/libhal-storage.so.1 (0xb6f82000) libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb6f2b000) libxml2.so.2 => /usr/lib/libxml2.so.2 (0xb6dd7000) libz.so.1 => /lib/libz.so.1 (0xb6dc2000) libexpat.so.1 => /lib/libexpat.so.1 (0xb6d99000) libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb6c32000) libncurses.so.5 => /lib/libncurses.so.5 (0xb6bf5000) /lib/ld-linux.so.2 (0xb77bb000) librpmdb-4.4.so => /usr/lib/librpmdb-4.4.so (0xb6aed000) librpmio-4.4.so => /usr/lib/librpmio-4.4.so (0xb6a0b000) libdl.so.2 => /lib/libdl.so.2 (0xb6a05000) libbz2.so.1 => /lib/libbz2.so.1 (0xb69f5000) libpopt.so.0 => /lib/libpopt.so.0 (0xb69ec000) libselinux.so.1 => /lib/libselinux.so.1 (0xb69cf000) libuuid.so.1 => /lib/libuuid.so.1 (0xb69c9000) libcares.so.2 => /usr/lib/libcares.so.2 (0xb69b8000) libidn.so.11 => /usr/lib/libidn.so.11 (0xb6986000) libssh2.so.1 => not found libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb693c000) libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb68f8000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb68ca000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb682b000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb6804000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb6800000) libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb67fc000) libresolv.so.2 => /lib/libresolv.so.2 (0xb67e6000) liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb67d5000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb67bb000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb67b2000) Well, I restored the libcurl4 version from openSUSE update for now, but this is highly troubling me (and my confidence about openSUSE). What the hell happens here? Why does libcurl need to bind against libssh2? The libcurl4 changelog just notes: * Wed Mar 24 2010 crrodriguez@opensuse.org - enable libssh2 support unconditionally. * Wed Mar 10 2010 crrodriguez@opensuse.org - enable libcares support unconditionally. @crrodriguez: the whole issue might be a red herring, but let's face it: such moves need a bit more verbose description, and given, that these libs crept into my system via devel:/languages:/python, while they flag themself Distribution: devel:libraries:c_c++ / openSUSE_11.1 doesn't raise users confidence. In fact, it keeps smelling fishy... Pete -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org