Summary: | net-ftp/vsftpd: backdoor discovered in source code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Pagano <mpagano> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | blueness, bugs, c1pher, hwoarang, wired |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Mike Pagano
2011-07-05 01:06:53 UTC
It looks like we may be okay. Using the information from http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html I did the following: wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz wget https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc gpg --verify vsftpd-2.3.4.tar.gz.asc and got "Good signature from "Chris Evans <chris@scary.beasts.org>". Then sha256sum vsftpd-2.3.4.tar.gz gave b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a which matches the Manifest which has not changed in the last 6 weeks. FYI the compromised tarball has sha256 2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5 Craig and I have checked our tarball yesterday as well and got to the same result, so Gentoo is not affected. |