It's rather something like, installation failed due to bad signature or so.
Actually it never happened to me.
Marcel
-Ursprüngliche Nachricht-
Von: Jussi Ekholm [mailto:[EMAIL PROTECTED]
Ok, thanks. Of course, GnuPG/PGP signature is a bit different than MD5
checksums, but thanks a lot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Marcel Weber <[EMAIL PROTECTED]> wrote:
> "Jussi Ekholm" <[EMAIL PROTECTED]> wrote:
>> I was just wondering about the policy, in general - too. Are the
>> "official" Debian packages created with MD5 checksum file, as well?
>> And does ``debsums'' work
On Sat, 3 Aug 2002 11:47:19 +0300
"Jussi Ekholm" <[EMAIL PROTECTED]> wrote:
> You are most likely correct, but I'm just mapping my options here; are
> Debian packages md5summed regularily? If so, I have ``debsums'' package
> installed. Does this software check the MD5 checksum before the package
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Florian Weimer <[EMAIL PROTECTED]> wrote:
> There isn't an easy way to determine whether a Debian package is
> authentic or not. I'm not even sure what "authentic" means in this
> context.
You are most likely correct, but I'm just mapping my options
On Fri, Aug 02, 2002 at 05:10:11PM +0300, Halil Demirezen wrote:
> I wanna make it clear.
>
> We are using OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0,
> OpenSSL 0x0090603f
>
>
> and we installed the ssh from the deb packages using
> apt-get install utility.
>
> I wonder if there is a
Halil Demirezen <[EMAIL PROTECTED]> writes:
> and we installed the ssh from the deb packages using
> apt-get install utility.
>
> I wonder if there is any risk on this stable version of OpenSSH
> (Debian) undependent from openbsd's source tarball?
There isn't an easy way to determine whether a De
I wanna make it clear.
We are using OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0,
OpenSSL 0x0090603f
and we installed the ssh from the deb packages using
apt-get install utility.
I wonder if there is any risk on this stable version of OpenSSH (Debian)
undependent from openbsd's source
On Fri, Aug 02, 2002 at 03:36:53PM +0200, Florian Weimer wrote:
> Vincent Hanquez <[EMAIL PROTECTED]> writes:
>
> > as the others said, no.
> > only Openbsd source package has been trojaned
>
> No, both 3.4p1 and 3.2.2p1 (portable versions) have been changed, too.
sorry i've forget a word. I was
Vincent Hanquez <[EMAIL PROTECTED]> writes:
> as the others said, no.
> only Openbsd source package has been trojaned
No, both 3.4p1 and 3.2.2p1 (portable versions) have been changed, too.
--
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart http://CERT.Uni-S
On Fri, Aug 02, 2002 at 02:27:11PM +0300, Halil Demirezen wrote:
> I installl my Debian system on 29th July. and i get the packets from
> mirror security.debian... as anyone can say , should i be worried.?
as the others said, no.
only Openbsd source package has been trojaned
--
Tab
I installl my Debian system on 29th July. and i get the packets from
mirror security.debian... as anyone can say , should i be worried.?
On Thu, 1 Aug 2002, Dale Amon wrote:
> On Thu, Aug 01, 2002 at 03:06:47PM -0500, Daniel J. Rychlik wrote:
> > Should debian users be worried if they only inst
On Thu, Aug 01, 2002 at 03:06:47PM -0500, Daniel J. Rychlik wrote:
> Should debian users be worried if they only install the pre built .deb
> package or should we evaluate the source and install the ssh from
> source?
>
> I guess the next question is Do I Have it?
I think the answer from earlier
--Original Message-
From: Jamie Penner [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 01, 2002 8:50 AM
To: debian-security@lists.debian.org; Dale Amon
Subject: Re: (fwd) OpenSSH trojan!
"bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itse
On Thu, Aug 01, 2002 at 08:06:21AM -0400, Raymond Wood wrote:
> I have no idea if this affects Debian in any way, shape, or form
> -- but better safe than sorry, so here it is FYI...
I have verified the checksums of all openssh 3.4p1 tarballs that I could
find in the Debian archive, and they all
"bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net)."
At 06:39 AM 8/1/02, you wrote:
On Thu, Aug 01, 2002 at 03:06:07PM +0200, Sebastien Chaumat wrote:
> I gue
On Thu, Aug 01, 2002 at 03:06:07PM +0200, Sebastien Chaumat wrote:
> I guess in the future (see the apt-src and co threads on devel) more
> and more people will auto-build packages localy. This will become a
> serious issue then.
Ah, so it was in the source dist then. I presume someone has been
Paul Hampson wrote on Thursday, August 01, 2002 3:16 PM:
> On Thu, Aug 01, 2002 at 02:31:07PM +0200, Sebastien Chaumat wrote:
>> Is there any source signing mechanism available in Debian?
>
> There is, in that the MD5 sum of the .orig.tar.gz goes into
> the .dsc file.
>
> Not that it would affect
Le jeu 01/08/2002 à 15:16, Paul Hampson a écrit :
> On Thu, Aug 01, 2002 at 02:31:07PM +0200, Sebastien Chaumat wrote:
> > Is there any source signing mechanism available in Debian?
>
> There is, in that the MD5 sum of the .orig.tar.gz goes into
> the .dsc file.
>
> Not that it would affect this
On Thu, Aug 01, 2002 at 02:31:07PM +0200, Sebastien Chaumat wrote:
> Is there any source signing mechanism available in Debian?
There is, in that the MD5 sum of the .orig.tar.gz goes into
the .dsc file.
Not that it would affect this case, since the trojan would have
been in the tar.gz which had
Hi,
Here's the real(tm) question :
Is there any source signing mechanism available in Debian?
SEb
P.S: I didn't found the trojan into the source at fpt.de.debian.org.
Le jeu 01/08/2002 à 14:23, Dale Amon a écrit :
> On Thu, Aug 01, 2002 at 08:06:21AM -0400, Raymond Wood wrote:
> > Hi,
> >
On Thu, Aug 01, 2002 at 08:06:21AM -0400, Raymond Wood wrote:
> Hi,
>
> I have no idea if this affects Debian in any way, shape, or form
> -- but better safe than sorry, so here it is FYI...
>
> Cheers,
> Raymond
AFAIK this doesn't affect debian package because .tar.gz was
downloaded from ftp.fu
On Thu, Aug 01, 2002 at 08:06:21AM -0400, Raymond Wood wrote:
> Hi,
>
> I have no idea if this affects Debian in any way, shape, or form
> -- but better safe than sorry, so here it is FYI...
>
> Cheers,
> Raymond
It's the same version as current sid, but are we talking
a source coded trojan? It
Hi,
I have no idea if this affects Debian in any way, shape, or form
-- but better safe than sorry, so here it is FYI...
Cheers,
Raymond
- Forwarded message from [...] -
From: [somebody]
To: [another list]
Subject: OpenSSH trojan! (fwd)
Date: Thu, 1 Aug 2002 07:30:37 -0400 (EDT)
WARNIN
23 matches
Mail list logo
