OpenSSH 3.4p1 package trojaned

[Nothinman]

Weblog mirror here as the original has used all it's bandwidth
FreeBSD-Security message here

The main ssh code wasn't touched so it looks like it only affects those building from source, so binaries from distributions should be fine.

Gotta love Slashdot posters for this comment:

It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"

Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"

 

[RSMemphis]

Good find. There is a reason why I track new releases for a bit... And I never override checksums.

 

[geoff2k]

The whole point of having checksums is to catch stuff like this. Why would anybody disable them?

I'm not sure if this affects the OpenBSD "number of holes" claims are affected by this... It is one thing for OpenBSD to actually ship trojaned code that made it into CVS as part of a release, but for somebody to break into a server that the OpenBSD folks aren't responsible for and change one of their distribution files... how is that a weakness in OpenBSD?

 

[Mucman]

Cool! Reading how he figured it out was pretty cool . That's why whenever I see an invalid checksum I re-run cvsup then try again...

 

[n0cmonkey]

Just an FYI, the trojaned source dated July 31. Also, not *just* the portable version was affected.

 

[singh]

Ohhhh the Irony