View previous topic :: View next topic |
Author |
Message |
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Wed Oct 09, 2002 5:31 am Post subject: SECURITY: is sendmail bugged?!?!?! |
|
|
Did gentoo use the wrong sendmail package??
All sendmail packages downloaded from the sendmail FTP site between 28th of september and 6th of October contain a trojan horse.
This is the CERT anouncement: http://www.cert.org/advisories/CA-2002-28.html
Just so you know!! I hope Gentoo comes with an update soon... |
|
Back to top |
|
|
Curious Bodhisattva
Joined: 13 May 2002 Posts: 395 Location: Sydney, Australia
|
Posted: Wed Oct 09, 2002 5:38 am Post subject: |
|
|
Sigh.
If you consult the ebuild for sendmail, you'll find that the MD5 sum that portage verifies the downloaded Sendmail against is the same as CERT gave out for the 'clean' build.
Trojaned packages would have failed MD5, and I *think* Portage would then have attempted to use another mirror. In fact, I think it would have been attempting to use a mirror in the first place ( ibiblio, for example ).
There is no need for an update.
-- Curious _________________ Are you down with the Hawk? |
|
Back to top |
|
|
Rroet Apprentice
Joined: 27 May 2002 Posts: 176 Location: The Hague, The Netherlands
|
Posted: Wed Oct 09, 2002 5:44 am Post subject: |
|
|
I hope so.. thnx.. will look at the ebuild file next time. for the MD5 hash.. good one.. didn't know it checked the sourcefile with a md5 hash. |
|
Back to top |
|
|
Curious Bodhisattva
Joined: 13 May 2002 Posts: 395 Location: Sydney, Australia
|
Posted: Wed Oct 09, 2002 6:58 am Post subject: |
|
|
Rroet wrote: | didn't know it checked the sourcefile with a md5 hash. |
Yeah, it's one of the cooler features of portage.
-- Curious _________________ Are you down with the Hawk? |
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7731 Location: Underworld
|
Posted: Wed Oct 09, 2002 1:37 pm Post subject: |
|
|
apt (used by Debian and Conectiva) have signed packages. As long as you have the keys from the ditribution, you can check all packages and be sure they are OK.
Curious wrote: | Rroet wrote: | didn't know it checked the sourcefile with a md5 hash. |
Yeah, it's one of the cooler features of portage.
-- Curious |
|
|
Back to top |
|
|
|