Well, if you think you are safe rebuilding from source, think again...
1. Systems affected: OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers. The code was inserted some time between the 30th and 31th of July. We replaced the trojaned files with their originals at 7AM MDT, August 1st. 2. Impact: Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised. The trojan allows the attacker to gain control of the system as the user compiling the binary. Arbitrary commands can be executed. ----- (http://www.openssh.org/txt/trojan.adv) So unless you've built OpenSSH from source in the last couple of days, you should be OK. Anyone who upgraded to 3.4 back in June when it came out should be fine. Of course if people downloading openssh checked it against the md5sum on the site, they would have discovered a "bad download". In actuality, someone inserted source to contact a remote server. How they managed to get that on a site running OpenBSD is another question entirely, since it is supposed to be the most secure thing around. This illustrates once again that security is a process, and that no system is inherently secure. Some systems make it a little easier to lock down and some make themselves nigh-on impossible to protect. And it is a huge mistake to entrust security to a computer system and forget the human component of such systems which can cause circumvention of the best-designed computer measures. Civileme
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
