debsums: no md5sums for a lot of important packages on sarge

To: debian-security@lists.debian.org
Subject: debsums: no md5sums for a lot of important packages on sarge
From: "Alexandros Papadopoulos" <apapadop@alumni.cmu.edu>
Date: Mon, 8 Oct 2007 10:30:50 +0300
Message-id: <[🔎] feffd9290710080030r41ac7f4do98931feeae8ab6ac@mail.gmail.com>

Dear all

During investigation of kernel panics on a Debian stable (sarge)
server I administer I installed debsums. The result of the first run
was:

blah:~# debsums -c
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: no md5sums for console-data
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for hotplug
debsums: no md5sums for initscripts
debsums: no md5sums for kernel-image-2.6.8-2-686
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: no md5sums for libgdbm3
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for libreadline4
debsums: no md5sums for make
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for modutils
debsums: no md5sums for mount
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: no md5sums for php4
debsums: no md5sums for php4-pear
debsums: no md5sums for rsync
debsums: no md5sums for squid
debsums: no md5sums for squid-common
debsums: no md5sums for ssh
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
blah:~#

Now, I consider this is a pretty secure machine, I monitor it closely
with tripwire, it has a very tight network fingerprint, multiple
layers of authentication, latest security patches are always installed
on the day they are published etc.

So I believe the above output NOT to be the result of a breach. My
question is, is it acceptable to have so many important and widely
used packages in *stable* without MD5 checksums?

Secondly, how can one fix this on a production system? Is the
following method proposed by  Paul Gear @
http://lists.debian.org/debian-security/2005/06/msg00126.html the
best/only way?

cd /var/cache/apt/archives
apt-get --download-only --reinstall install `debsums -l`
debsums --generate=keep,nocheck *.deb

Thanks for any input

-A

Reply to:

Follow-Ups:
- Re: debsums: no md5sums for a lot of important packages on sarge
  - From: Benedikt Hallinger <b.hallinger@skyforcesystems.de>
- Re: debsums: no md5sums for a lot of important packages on sarge
  - From: Romain Francoise <rfrancoise@debian.org>

Prev by Date: Re: CUPS and network interfaces
Next by Date: Re: debsums: no md5sums for a lot of important packages on sarge
Previous by thread: Re: CUPS and network interfaces
Next by thread: Re: debsums: no md5sums for a lot of important packages on sarge
Index(es):
- Date
- Thread