Re: openssh-3.4p1.tar.gz apparently trojaned

Subject: Re: openssh-3.4p1.tar.gz apparently trojaned
From: Arthur Corliss (
Date: Thu Aug 01 2002 - 09:07:06 AKDT

> Anyone who has upgraded to OpenSSH 3.4 might want to check this out,
> especially if you didn't run an md5sum on the downloaded package.

It's not really trojaned, the makefile just creates a binary that makes a
connection to an external server. None of this is integrated into the
binaries, so the generated binaries are fine. The program only affects those
building from source but doesn't stay running, nor is installed onto the
system. Binary distributions should be unaffected.

I still advocate building from source (of course), but this does point out a
few safety checks we should all abide by: check checksums on all downloaded
packages (if available), and never build a package as root.

        --Arthur Corliss
          Bolverk's Lair --
          Digital Mages --
          "Live Free or Die, the Only Way to Live" -- NH State Motto

To unsubscribe, send email to <>
with 'unsubscribe' in the message body.

This archive was generated by hypermail 2a23 : Thu Aug 01 2002 - 09:53:15 AKDT