yes and no. they (FreeBSD guys) could have modified files in the iso between the 30th and 31st that doesnt nessecarily mean that it was openssh that was changed, it could have been anything in the iso. and that that would change its mtime
anyway the openssh that comes with 4.6-RELEASE is exploitable in itself without worrying about trojans :) http://www.cert.org/advisories/CA-2002-18.html Anuerin G. Diaz wrote: >hi, > > im currently downloading the 4.6 BSD iso images. does this mean that >if the date of the md5sum file in the server im downloading was modified >on or later than july 30 then the image might be compromised? or does >the trojan only affect the individual openssh packages at the ftp sites? > > i know its probably a stupid question but i want to have confirmation. > >ciao! > >Joon Guillen wrote: > > ><snip> > > >>Verify MD5 checksums >> >> You can use the following MD5 checksums to verify the integrity of >> your OpenSSH source code distribution: >> Correct versions: >> >> 459c1d0262e939d6432f193c7a4ba8a8 openssh-3.4p1.tar.gz >> d5a956263287e7fd261528bb1962f24c openssh-3.4p1.tar.gz.sig >> 39659226ff5b0d16d0290b21f67c46f2 openssh-3.4.tgz >> 9d3e1e31e8d6cdbfa3036cb183aa4a01 openssh-3.2.2p1.tar.gz >> be4f9ed8da1735efd770dc8fa2bb808a openssh-3.2.2p1.tar.gz.sig >> >> At least one version of the modified Trojan horse distributions was >> reported to have the following checksum: >> Trojan horse version: >> >> 3ac9bc346d736b4a51d676faa2a08a57 openssh-3.4p1.tar.gz >> >>Verify PGP signature >> >> Additionally, distributions of the portable release of OpenSSH are >> distributed with detached PGP signatures. Note that the Trojan horse >> versions were not signed correctly, and attempts to verify the >> signatures would have failed. >> >> As a matter of good security practice, the CERT/CC encourages users to >> verify, whenever possible, the integrity of downloaded software. For >> more information, see >> >> http://www.cert.org/incident_notes/IN-2001-06.html >> >> >> ><snip> > > > _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
