Bugtraq mailing list archives
Re: trojan horse in recent openssh (version 3.4 portable 1)
From: Jim Breton <jamesb-bugtraq () alongtheway com>
Date: Thu, 1 Aug 2002 18:45:34 +0000
On Thu, Aug 01, 2002 at 02:17:36PM +0200, Christian Bahls wrote:
1.) i do not often check signatures an packets i install
Particularly difficult when there _are no_ signatures available for the package you want to install (in this case, the non-"portable" tarballs). AFAIK there have never been signatures available for the OpenBSD tarballs. At least none that I've seen on the FTP server. I hope this will change soon...? I have also been curious as to how exactly DJM and the portability group have been verifying that _they_ obtained clean tarballs before applying their modifications. If they also have no way to verify tarballs, that effectively blinds a very important set of eyes from being able to spot trojans. (Of course, if they are just doing CVS checkouts from a secure CVS server, this issue would be moot. But the fact that the portable versions were also trojaned, combined with the appearance that the trojaning occurred _on the FTP server and not on any development machines_, I think allows one to reasonably assume that the tarballs are being used. This last point may not be the case, we will have to wait for more information to come out.)
Current thread:
- trojan horse in recent openssh (version 3.4 portable 1) Christian Bahls (Aug 01)
- Re: trojan horse in recent openssh (version 3.4 portable 1) Jim Breton (Aug 01)