<br /> OpenSSH packages not vulnerable – Debian Planet

Welcome to Debian Planet

News for Debian. Stuff that *really* matters


Debian Planet is hosted by Bluelinux Internet Services Ltd. Offering a special discounted rate for Free and Open Source software community members.

Buy your Debian merchandise at DebianShop.com.

These are important Debian sites one should not be without!

  • Official Debian site
  • Package search
  • Mailing list archives
  • Bug reports
  • Debian on CD
  • Debian Weekly News — excellent news source!
  • Unofficial APT sources

  • Developers’ Corner
  • Community
    Need help? You’re not alone on this planet.

  • Planet Debian
  • debianHELP
    (User support site)

  • Debian Administration
    (SysAdmin resources)

  • Debian International
  • DebianForum.de

  • DebianForum.dk

  • EsDebian

  • DebianWorld

  • Debian-Fr

  • MaximumDebian

  • DebianItalia
  • DebianUsers

  • Debian-BR

  • DebianHOWTO

  • Russian Debian (Русский)
  • Debian-JP
  • Debian Suisse
  • Contribute
    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you’ve written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    General feedback should be sent to staff@debianplanet.org

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.oftc.net.

    Many of the Debian Planet staff live there so pop by and say hello.

    Debian Planet also has its own channel on the same network called #debianplanet.


    OpenSSH packages not vulnerable
    Submitted by robster on Thursday, August 01, 2002 – 16:22
    SecurityThe OpenSSH 3.4p1 packages on the OpenBSD FTP server were trojaned earlier today, as discovered by a FreeBSD user, Edwin Groothuis. The trojan only works at build time, and binaries produced from the source are not vulnerable, as detailed on his weblog (copied to /. because of bandwidth limitations).

    The Debian packages were created some time ago from original untrojaned tarballs and are thus not affected in this way (and nor is the package maintainer’s machine). The source tarball and the binary packages in the Debian archive are not affected, as confirmed by the ssh package maintainer, and several other Debian developers.

    Category: News

    Control panel

    Comment viewing options:

    Select your prefered way to display the comments and click ‘Update settings’ to activate your changes.

    Subject: Thanks Robster
    Author: seeS
    Date: Thursday, 2002/08/01 – 23:23
    Hopefully this article will cut down the security traffic with people asking “are we vulnerable”?
    [ Please login, or register ]

    Subject: secure by default …
    Author: fork
    Date: Thursday, 2002/08/01 – 22:38
    It seems that De Raadt stuf are not alway’s secure 😉 This is not a flame, this just prove that even a paranoiac can be hacked.

    I had found more information here : http://www.deadly.org/article.php3?sid=20020801122759&mode=flat

    [ Please login, or register ]


    Subject: Not OpenBSD’s fault
    Author: by-tor
    Date: Friday, 2002/08/02 – 20:41
    Keep in mind, this has absolutely nothing to do with OpenBSD. The attack occured because of Solaris, the OS running on the SUNsite hosting openbsd’s public services. If you blame anyone, blame SUN and their proprietary technology. Lets not bash OpenBSD, its not their fault. Besides, they are our OpenSource brothers. We dont compete with *BSD (Debian GNU/BSD).

    Be not anxious about what you have, but about what you are.
    — Pope St. Gregory I

    [ Please login, or register ]


    Subject: I don’t bash *BSD
    Author: fork
    Date: Saturday, 2002/08/03 – 05:23
    As I said, I don’t blame anyone. I just observe even when people make a very good effort to prevent attack, it is not always possible to prevent that.

    I think that debian should not compete with *BSD (free/net/openBSD are great OS), but should try to learn from this attack.

    [ Please login, or register ]

    Subject: Why are debian package signatures not verified on the client?
    Author: molo
    Date: Thursday, 2002/08/01 – 18:12
    When I download a debian package, I want to be able to verify (locally, on the client) that the package is the original, uploaded by the package maintainer (or compiled by my arch’s buildd).

    As it currently stands, I believe that the package signatures are checked only when the file gets uploaded to the archive. Is this correct?

    I’d like to have a detached OpenPGP signature for each .deb downloaded, and have apt-get verify each package automaticly. Forgive me for not trusting the debian mirror system, but how can you guarantee that there isn’t a hacked transparent proxy between me and the mirror, replacing .debs?

    Architechures with a buildd would be a bit more work, because one needs to verify two levels of data – the original source package uploaded by the maintainer, and the binary compiled by the buildd.


    [ Please login, or register ]


    Subject: OK…
    Author: robot101
    Date: Thursday, 2002/08/01 – 20:10
    • debs are md5summed and listed in Packages files
    • dsc, tar.gz and diff.gz are md5summed and listed in Sources files
    • apt refuses to install packages if their md5sum doesn’t match, and reinstalls them if one with an unmatching md5sum is already installed
    • Packages and Sources files are md5summed and listed in Release files
    • and you check those with aj’s apt-check-sigs script
    • for stable and security, the key is the release manager’s or the security team’s, and is stored ‘elsewhere’
    • for testing and unstable, the key is stored on the ftp master server and signs the generated files every day automatically

    The signed .changes files which have the md5sums of the sources and debs at upload are stored for some time on the master server, but no longer seem to be publically available.

    Robster is a monkey

    [ Please login, or register ]


    Subject: this is not suffisent
    Author: fork
    Date: Thursday, 2002/08/01 – 22:42
    This does not prevent introduction of this kind of trojan into debian archive. Only a check from te maintainer (and a lot of “paranoia”) can save our soul.
    [ Please login, or register ]


    Subject: This kind of trojan…
    Author: robot101
    Date: Thursday, 2002/08/01 – 23:37
    Doesn’t affect the Debian archive, it affects the machine upon which source is built. All this signature checking does is ensure that what you download and install is that which was uploaded to the server by the trusted Debian developer, assuming the master server has not been compromised.

    Robster is a monkey
    [ Please login, or register ]


    Subject: This *particlar* trojan..
    Author: molo
    Date: Friday, 2002/08/02 – 01:28
    This kind of trojan… Doesn’t affect the Debian archive, it affects the machine upon which source is built.

    This particular trojan doesn’t affect binaries, correct. However, this kind of trojan (that is, ones in source tarballs) absolutely 100% can effect the debian archive binaries.

    Besides, once the guy roots a debian maintainer’s build machine, what’s preventing him from stealing the guy’s private key and installing a keylogger to get the passphrase? We are lucky that this time someone found the problem within 6 hours.


    [ Please login, or register ]


    Subject: However, source is source so
    Author: jeremy
    Date: Friday, 2002/08/16 – 10:46
    However, source is source so any trojan should hopefully be alot easier to discover. If the same thing happened with binaries it, might take a lot longer to find out and by that time it could be too late. Perhaps we should also encourage upstream maintainers to sign their source with GPG 🙂
    [ Please login, or register ]


    Subject: Ok, good start, but…
    Author: molo
    Date: Thursday, 2002/08/01 – 21:47
    Ok, I’m glad this stuff is able to be validated, but:

    1. This is not part of the standard distribution – people have to know about it and go find it.
    2. This is not integrated into APT. If I forget (or don’t script things) to use apt-check-sigs after each apt-get update, its not going to help.
    3. To trojan those people that ignore the release file’s signature (I would imagine this is the vast majority), one can just re-generate the md5sums for everything.

    In short, this is a good beginning, but its not a solution yet.

    [ Please login, or register ]


    Subject: md5?
    Author: annoia
    Date: Thursday, 2002/08/01 – 19:29
    Basically, what you want is the posibillity to check the md5-sum, which is actually a very sensible request.

    When do we get that? HAVE we got that? Why not? 😉

    [ Please login, or register ]

    Search articles

    ·News (405)
    ·Features (5)
    ·Site News (16)
    ·HOWTOs (78)
    ·Tips (21)
    ·Opinion (29)
    ·Q & A (34)
    ·Sponsorship (1)
    ·Press Releases (5)

    Log in


    Remember me

    » Register
    » New password

    Debian Security Announcements
    DSA-943 perl
    DSA-942 albatross
    DSA-903 unzip
    DSA-941 tuxpaint
    DSA-940 gpdf
    DSA-939 fetchmail
    DSA-938 koffice
    DSA-937 tetex-bin
    DSA-936 libextractor
    DSA-935 libapache2-mod-auth-pgsql

    Planet Debian
    Wouter Verhelst: On flames.
    Joachim Breitner: Fixing my planet.debian.org subscription
    Steve Kemp: She has the blood of reptile just underneath her skin
    Pierre Habouzit: Married …
    Pierre Habouzit: whitelister 0.4 (SPF) and aaege ….
    Pierre Habouzit: kde 3.4.1 upload
    Holger Levsen: In case you are running OpenWRT
    Michael Janssen: Shiny roofs are good for the environment!
    Matthew Palmer: Work it out yourself, dammit!
    Axel Beckert: Tell me which music you like and I tell who you are

    Debian Administration
    How do I prevent rebuilt packages from being upgraded?
    Disabling the print-screen key inside X?
    Monitoring your bandwidth usage with vnstat
    Ruby on Rails on Debian
    Choice for Virtual Private Servers?
    Monitoring your hardware’s temperature
    Sending mail with Exim from ‘dialup’ IP
    How to recover GRUB Debian Sarge after reinstalling Windows
    Getting a GUI
    Spam filtering with Pyzor and SpamBayes

    Latest poll: Which release scheme should Debian follow?
    Continue this way (release when ready)
    Give up on releasing
    Split the release up
    Speed the release up
    Crank the workload up (see DebianWiki ReleaseProposals for details on these)

    Total votes: 372
    0 comments · older polls

    home · archives · news feeds · about · polls · search · sections · user account

    Powered by the amazing Drupal

    Debian Planet is not officially related to the Debian Project.
    Debian and the Debian logo are trademarks of Software in the Public Interest, Inc.