Sender: rich AT phekda DOT freeserve DOT co DOT uk Message-ID: <3F47C99F.4CDD5AC@phekda.freeserve.co.uk> Date: Sat, 23 Aug 2003 21:07:59 +0100 From: Richard Dawe X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.23 i586) X-Accept-Language: de,fr MIME-Version: 1.0 To: DJGPP workers Subject: Re: CERT Advisory CA-2003-21 GNU Project FTP Server Compromise References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Reply-To: djgpp-workers AT delorie DOT com Hello. CERT Advisory wrote: [snip] > The CERT/CC has received a report that the system housing the primary > FTP servers for the GNU software project was compromised. [snip] > Verifying checksums > > The FSF has produced PGP-signed lists of known-good MD5 hashes of the > software packages housed on the compromised server. These lists can be > found at > > ftp://ftp.gnu.org/before-2003-08-01.md5sums.asc > ftp://alpha.gnu.org/before-2003-08-01.md5sums.asc [snip] I've checked the tarballs I used for the DJGPP packages of the following GNU programs. They were OK. autoconf 2.57 automake 1.7, 1.7.x coreutils 5.0 (NB: I only have diffs for this package.) doschk 1.1 fileutils 4.x gdb 5.3 gmp 3.1.x, 4.0.1, 4.1, 4.1.x miscfiles 1.2, 1.3 units 1.80 vera 1.9 If I've packaged something and it's not listed above, it means that either: (a) it wasn't listed in the md5sums file, or (b) I don't know which tarball I used to prepare the package. FWIW all the packages I checked at work (which had been downloaded after the compromise) matched the MD5 sums listed in the files above. That included various versions of gcc, coreutils, Emacs. That's no reason to assume that they will match, though. Has anyone else checked the tarballs they used to prepare packages? Bye, Rich =] -- Richard Dawe [ http://www.phekda.freeserve.co.uk/richdawe/ ]