I would hope the web site is some semi-automatic thing.

I should also note that since MD5 has an easy
hash-collision-generation function against it, the contents of the
openssl-0.9.8f file that was available there that didn't match the
sha1 should be evaluated and diffed.

I think this should be treated as an attack against the OpenSSL code
infrastructure.  A file that doesn't match its hashes, signed by a key
that isn't on the OpenSSL listed keys list?  That has all the earmarks
of a hack, and anyone who downloaded the tainted tar needs to know
what's in it that shouldn't be there compared to what they should have
gotten.

On 10/17/07, Lutz Jaenicke via RT <[EMAIL PROTECTED]> wrote:
> Grr. The OpenSSL web site is some (semi-)automatic thing that is updated
> in a magic way. Probably only Ralf Engelschall fully understands how
> this works :-)
> I have made sure the correct files are linked now.
>
> Best regards,
>    Lutz
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to