Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] openssh trojan (alert)
Hi,
well nice suggestion BUT it is not good to rely on a md5sum posted by someone in a newsgroup. The proper way to do a verifcation of your
version is to do a gpg --verify openssh-3.4p1.tar.gz.sig after you have importet the key DJM-GPG-KEY.asc (with gpg --import DJM-GPG-
KEY.asc) to be found in the portable directory of OpenSSH. We just checked it here and the tarball of openssh-3.4p1 reports a BAD
signature (we made a negative control with the tarball of openssh-3.2.3p1 which gave us a GOOD signature, so the key seems to work...)

BTW: I think you have to check your untouched tarball - cause the shellscript seems to remove itself from Makefile.in in openbsd-compat...

1.8.2002 10:54:02, ic_admin <admin@xxxxxxxxxxxx> wrote:

>Hi List,
>
>take a look at
>"http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security";
> there you find this part:
>
>
>-- start --
>This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
>ports system:
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
>
>This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
> MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
>-- stop --
>
>
>If you do not check this ...
>
>
>Regards
>
>Ruediger
--
.-. Ruhr-Universitaet Bochum
/v\ L I N U X Lehrstuhl fuer Biophysik
// \\ >Penguin Computing< c/o Christoph Wegener
/( )\ Gebaeude ND 04/Nord
^^-^^ D-44780 Bochum, GERMANY

Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:cwe@xxxxxxxxxxxxxxxxxxxxxx http://www.bph.ruhr-uni-bochum.de





< Previous Next >
References