Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SECURITY: is sendmail bugged?!?!?!
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Rroet
Apprentice
Apprentice


Joined: 27 May 2002
Posts: 176
Location: The Hague, The Netherlands
PostPosted: Wed Oct 09, 2002 5:31 am    Post subject: SECURITY: is sendmail bugged?!?!?! Reply with quote
Did gentoo use the wrong sendmail package??
All sendmail packages downloaded from the sendmail FTP site between 28th of september and 6th of October contain a trojan horse.

This is the CERT anouncement: http://www.cert.org/advisories/CA-2002-28.html


Just so you know!! I hope Gentoo comes with an update soon...
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia
PostPosted: Wed Oct 09, 2002 5:38 am    Post subject: Reply with quote
Sigh.

If you consult the ebuild for sendmail, you'll find that the MD5 sum that portage verifies the downloaded Sendmail against is the same as CERT gave out for the 'clean' build.

Trojaned packages would have failed MD5, and I *think* Portage would then have attempted to use another mirror. In fact, I think it would have been attempting to use a mirror in the first place ( ibiblio, for example ).

There is no need for an update.

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
Rroet
Apprentice
Apprentice


Joined: 27 May 2002
Posts: 176
Location: The Hague, The Netherlands
PostPosted: Wed Oct 09, 2002 5:44 am    Post subject: Reply with quote
I hope so.. thnx.. will look at the ebuild file next time. for the MD5 hash.. good one.. didn't know it checked the sourcefile with a md5 hash.
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia
PostPosted: Wed Oct 09, 2002 6:58 am    Post subject: Reply with quote
Rroet wrote:
didn't know it checked the sourcefile with a md5 hash.


Yeah, it's one of the cooler features of portage. :-)

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
pilla
Bodhisattva
Bodhisattva


Joined: 07 Aug 2002
Posts: 7730
Location: Underworld
PostPosted: Wed Oct 09, 2002 1:37 pm    Post subject: Reply with quote
apt (used by Debian and Conectiva) have signed packages. As long as you have the keys from the ditribution, you can check all packages and be sure they are OK.

Curious wrote:
Rroet wrote:
didn't know it checked the sourcefile with a md5 hash.


Yeah, it's one of the cooler features of portage. :-)

-- Curious
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy