[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Problem with devel/silc-toolkit Lubomir Sedlacik Mon Jan 29 06:15:35 2007


On Sat, Jan 27, 2007 at 09:45:14PM -0500, Wesley Shields wrote:
> > Looks like the bzipped tarball on their website has been altered -
> > possibly compromised.  I'm cc'ing the port maintainer, but I was
> > unable to find a security address at SILC to notify them.  I'm ccing
> > their abuse and postmaster addresses.

it's right there, on the web site:

SILC Project -> Contact Us -> Security Issues at [EMAIL PROTECTED] 

> Altered, yes.  Compromised is a bit of a jump.  Maybe they re-rolled
> it for any one of an infinite number of reasons.

the file was _NOT_ touched since it was released.  we never re-release
tarballs under the same version for this precise reason.

> > I would recommend that the port be marked BROKEN until this is
> > resolved.
> Seeing as how it passes checksums for me I'm leaning towards a local
> problem.

checksums of the file in the master download area match the checksums
in the FreeBSD ports tree.  there is no reason to believe the file (or
the machine) was compromised.

 $ cksum -a sha256 silc-toolkit-1.0.2.tar.bz2
 SHA256 (silc-toolkit-1.0.2.tar.bz2) = 
 $ cksum -a md5 silc-toolkit-1.0.2.tar.bz2
 MD5 (silc-toolkit-1.0.2.tar.bz2) = 869ce01349444a28fbace3c1bfe745ff
 $ cat silc-toolkit-1.0.2.tar.bz2.md5
 869ce01349444a28fbace3c1bfe745ff  silc-toolkit-1.0.2.tar.bz2

everything seems to indicate a local problem.


-- Lubomir Sedlacik <[EMAIL PROTECTED],Xtrmntr,silcnet}.org>   --