Anuerin G. Diaz writes: > > hi, > > im currently downloading the 4.6 BSD iso images. does this mean that > if the date of the md5sum file in the server im downloading was modified > on or later than july 30 then the image might be compromised? or does > the trojan only affect the individual openssh packages at the ftp sites? > > i know its probably a stupid question but i want to have confirmation. > > ciao!
Hi Anuerin, I guess you need to redownload the install iso image of FreeBSD-i386-4.6RC2.iso, after the release of FreeBSD-4.6-RELEASE, the security officer of FreeBSD found so many bugs/vulnerabilities on the said release, so the Release group decided to release the RC2 of iso found in ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/4.6.1-RC2.iso. Try to visit http://www.freebsd.org/security for more info. The Security officer said that the release version of openssh from the stable version was not infected by the said trojan. HTH, Jimmy Lim Operation & Support Team Leader Tricom > > Joon Guillen wrote: >> > <snip> >> >> Verify MD5 checksums >> >> You can use the following MD5 checksums to verify the integrity of >> your OpenSSH source code distribution: >> Correct versions: >> >> 459c1d0262e939d6432f193c7a4ba8a8 openssh-3.4p1.tar.gz >> d5a956263287e7fd261528bb1962f24c openssh-3.4p1.tar.gz.sig >> 39659226ff5b0d16d0290b21f67c46f2 openssh-3.4.tgz >> 9d3e1e31e8d6cdbfa3036cb183aa4a01 openssh-3.2.2p1.tar.gz >> be4f9ed8da1735efd770dc8fa2bb808a openssh-3.2.2p1.tar.gz.sig >> >> At least one version of the modified Trojan horse distributions was >> reported to have the following checksum: >> Trojan horse version: >> >> 3ac9bc346d736b4a51d676faa2a08a57 openssh-3.4p1.tar.gz >> >> Verify PGP signature >> >> Additionally, distributions of the portable release of OpenSSH are >> distributed with detached PGP signatures. Note that the Trojan horse >> versions were not signed correctly, and attempts to verify the >> signatures would have failed. >> >> As a matter of good security practice, the CERT/CC encourages users to >> verify, whenever possible, the integrity of downloaded software. For >> more information, see >> >> http://www.cert.org/incident_notes/IN-2001-06.html >> > <snip> > > -- > > "Programming, an artform that fights back." > > ============================= > Anuerin G. Diaz > Design Engineer > Millennium Software, Incorporated > 2305 B West Tower, Philippines Stocks Exchange Center, > Exchange Road, Ortigas Center, Pasig City > > Tel# 637-4634 loc. 75 > Fax# 637-4679 > > Registered Linux User #246176 > ============================= > _ > Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph > To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] > > To subscribe to the Linux Newbies' List: send "subscribe" in the body to >[EMAIL PROTECTED] DISCLAIMER: Any views expressed herein belong to the employee and do not necessarily reflect the official position of Tricom. Privileged or confidential information may be contained in this message. If you are not the intended recipient (or the person responsible for delivery to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply email. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
