FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-05-2011, 03:11 AM
Misha Shnurapet
 
Default vsftpd in the news

There's something to consider about Chris Evans blog post as of July 3 [1]:

> An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor.

> $ gpg ./vsftpd-2.3.4.tar.gz.asc
> gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C
> gpg: BAD signature from "Chris Evans <chris@scary.beasts.org>"

> The backdoor payload is interesting. In response to a smiley face in the FTP username, a TCP callback shell is attempted.

> There is no obfuscation.

I have a question: how does that relate to our package building process, and are GPG signatures verified?

Thanks.

[1] http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

--
Best regards,
Misha Shnurapet, Fedora Project Contributor
Email: shnurapet AT fedoraproject.org, IRC: misha on freenode
https://fedoraproject.org/wiki/shnurapet, GPG: 00217306
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 12:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org