Hello,
When doing the usual "apt-get upgrade" on the security sources.list, these packets "want" to be installed:
33ebccfeda79653d305c2ebc5416b331 php4-imap_4%3a4.1.2-7.0.1_i386.deb 3b6588b6fa8f873b9a7e49c1fcbb0c72 php4_4%3a4.1.2-7.0.1_i386.deb (both with mtime july 22th)
Whereas in this advisory, these are the respective checksums:
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_i386.deb Size/MD5 checksum: 376838 0faa6391096915c65f1f724b651241f5 http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_i386.deb Size/MD5 checksum: 582310 fcaf92f17db9813ab02fd7fbafef9dff
My buddy has looked up "3b6588b6fa8f873b9a7e49c1fcbb0c72" in google and has found:
http://ftp.debian.org/debian/dists/woody-proposed-updates/php4_4.1.2-7.0.1_i386.changes
which when checked with gpg gives:
gpg: Signature made Thu Jul 22 11:42:37 2004 MEST using DSA key ID C6CEA0C9
gpg: Good signature from "Adam Conrad <[EMAIL PROTECTED]>"
gpg: aka "Adam Conrad <[EMAIL PROTECTED]>"
..
Primary key fingerprint: C8B2 CB3E 3225 49BB 5ED2 0002 BE3C ED47 C6CE A0C9
(Looking for some evidence that this is the valid key of the maintainer, I've found http://lists.debian.org/debian-newmaint/2002/04/msg00062.html which has been signed with that same key, ok.)
So in the end this just means that a new security release has been made without a new advisory, and you should check the signatures yourself - consider this email as little help on the way to establish your own trust chain..
Cheers, Christian.
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
