Bryan.C.Breen.1 at gsfc.nasa.gov
Thu Aug 1 19:48:07 PDT 2002
There's something to be said for waiting to see the bugs hammered out of a
program before using it, however...
This OpenSSH Trojan is a different case than there being a bug in the
source code. What happened here was a specific mirror site (a rather
heavily used one) was tainted when their tar-ball of the source code was
changed (when the Trojan was inserted).
There's nothing wrong with the 3.4p1 code, as long as you have an
uninfected source tree/tar-ball.
I keep all my source files (in their original tar'd and gzip/bzip2 format)
just for ease of rebuilding (I'm too damn impatient to wait for a download
even over my cable connection!). I checked my OpenSSH-3.4p1.tar.gz md5sum
and it verified that the copy that I had from June 26th was clean.
So in *this* case, it was actually better that I had gotten the code early
on, instead of waiting.
Perhaps the real lesson is to double check those md5sum or validate them
against a signing key. And in particular, use values that are not coming
from the same server that you are obtaining the source from (and hopefully
not a server that is just an identical mirror).
At 00:32 8/2/02 +0200, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>> I think the REAL lesson to be learned here is that you should always
>> wait a good week or two before installing updates. That way somebody
>> else finds the problems, and you don't have to worry about them.
>> Mwuahahahhahahah! ;)
>Remember, when openssh-3.4p1 was released? I think it is *some more* than
a week ago. ;-)
>%> ln -s /dev/null /dev/brain
>%> ln -s /dev/urandom /dev/world
>%> dd if=/dev/world of=/dev/brain
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>-----END PGP SIGNATURE-----
>Unsubscribe: send email to listar at linuxfromscratch.org
>and put 'unsubscribe lfs-security' in the subject header of the message
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security