[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution

Debian (me & the buildds) are not vulnerable :)

I always verify the MD5sums with the announcement letters, and then
store that, along with the signature file in the source deb - allowing
for verification like that below.

I also have the sendmail key on my private keyring, instead of using
the one in the tarball (it wasn't trojanned this time, but I'm ready
if they try it later).

[11:31:44 cowboy@badlands:sendmail-8.12.6 565:0]$ debian/rules verify
# Verifying the md5 summs and signed files
Checking MD5 source: ./sendmail.8.12.6.tar.md5.
Checking signature file ./sendmail.8.12.6.tar.sig.
gpg: Signature made Mon Aug 26 22:06:30 2002 EDT using RSA key ID 678C0A03
gpg: Good signature from "Sendmail Signing Key/2002 <sendmail@Sendmail.ORG>"

Rick Nelson
<DannyS> Hit the monkey to win $20(*)!
* knghtbrd gets out his mallet.
* knghtbrd plants it firmly on DannyS' head.
* knghtbrd will take his $20 now.  =3DD

Reply to: