lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0309201716001.21955@fuzzy.slackware.com>
Date: Sat, 20 Sep 2003 17:22:16 -0700 (PDT)
From: "Patrick J. Volkerding" <security@...ckware.com>
To: Piermark <bugs84@...ero.it>
Cc: bugtraq@...urityfocus.com, security-basics@...urityfocus.com
Subject: Re: <Advice> Possible Backdoor into openssh-3.7.1p1-i386-1.tgz from
 Slackware Mirror


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sat, 20 Sep 2003, Piermark wrote:
> Hi,
>
> I have update my Slackware 9.0 with openssh-3.7.1p1-i386-1.tgz  from
> http://www.slackware.at/data/slackware-9.0/patches/packages/openssh-3.7.1p1-i386-1.tgz
>
> Now i have 3 new  tcp/ip ports into my system: (thank Nmap) :-)
>
> - 867 Open
> - 879 Open
> - 889 Open
>
> Example:
>
> telnet> open
> (to) 127.0.0.1 867
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.

I've verified the GPG signature for the package on ftp.slackware.at, and
it has not been tampered with.  The GPG signature of the
openssh-3.7.1p1.tar.gz has also been tested, and is signed with the
correct signature of the OpenSSH developer who signs such things.
Additionally, I've tested installing the package and found no unexpected
ports were opened.

Conclusion:  This report is false.

> These ports are choice random from a range of 300 - 1200 !! and the size
> of the tgz is various for every mirror:
>
> 628642 Sep 20 17:58 openssh-3.7.1p1-i386-1.tgz (from www.slackware.at)
> 628481 Sep 20 21:01 openssh-3.7p1-i386-1.tgz   (from www.slackware.com)

Note that these are completely different package versions.

Regards,

Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/bO89akRjwEAQIjMRAt6BAJ9S6WcnjbhfbgcWsfdutcclqxb+LQCfXPMH
L2qPHNBG4TWphoODKN9XBxE=
=n0SI
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ