OpenSSH Trojan

Dan Osterrath do3 at mail.inf.tu-dresden.de
Thu Aug 1 16:01:56 PDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Perhaps the real lesson is to double check those md5sum or validate them
> against a signing key. And in particular, use values that are not coming
> from the same server that you are obtaining the source from (and hopefully
> not a server that is just an identical mirror).

Well this might be the best solution. The next logical exploit would be to exchange the md5sums on the webpages, too. ;-)
But I don't agree that you should wait some days or weeks after release of a software package. Remember that there are CVS, alphas, betas and RCs.  In general released packages are well tested.  At least at larger "software organisations" like GNU, KDE, linux kernel (at least today) and so on.

- -- 
- ----------------------------------------------------------------------
%> ln -s /dev/null /dev/brain
%> ln -s /dev/urandom /dev/world
%> dd if=/dev/world of=/dev/brain
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9Sb3k9NbB8EM160MRAnbNAJsHAkJ1iUmCpAjJ1v3HstLIBeGH7ACeMvPR
LtnEi2y+2mw5MY+WoV1sEeE=
=/2M0
-----END PGP SIGNATURE-----

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list