|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Christoph Wegener (cwe_at_bph.ruhr-uni-bochum.de)
Date: Thu Aug 01 2002 - 04:17:10 CDT
Hi,
well nice suggestion BUT it is not good to rely on a md5sum posted by someone in a newsgroup. The proper way to do a verifcation of your
version is to do a gpg --verify openssh-3.4p1.tar.gz.sig after you have importet the key DJM-GPG-KEY.asc (with gpg --import DJM-GPG-
KEY.asc) to be found in the portable directory of OpenSSH. We just checked it here and the tarball of openssh-3.4p1 reports a BAD
signature (we made a negative control with the tarball of openssh-3.2.3p1 which gave us a GOOD signature, so the key seems to work...)
BTW: I think you have to check your untouched tarball - cause the shellscript seems to remove itself from Makefile.in in openbsd-compat...
1.8.2002 10:54:02, ic_admin <admin
i-concept.de> wrote:
>Hi List,
>
>take a look at
>"http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security"
> there you find this part:
>
>
>-- start --
>This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
>ports system:
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
>
>This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
> MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
>-- stop --
>
>
>If you do not check this ...
>
>
>Regards
>
>Ruediger
--
.-. Ruhr-Universitaet Bochum
/v\ L I N U X Lehrstuhl fuer Biophysik
// \\ >Penguin Computing< c/o Christoph Wegener
/( )\ Gebaeude ND 04/Nord
^^-^^ D-44780 Bochum, GERMANY
Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626
mailto:cwebph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de
--
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]