Re: openssh-3.4p1.tar.gz apparently trojaned

Subject: Re: openssh-3.4p1.tar.gz apparently trojaned
From: W.D.McKinney (
Date: Thu Aug 01 2002 - 10:07:57 AKDT

On (01/08/02 09:07), Arthur Corliss wrote:
> > Anyone who has upgraded to OpenSSH 3.4 might want to check this out,
> > especially if you didn't run an md5sum on the downloaded package.
> >
> >
> It's not really trojaned, the makefile just creates a binary that makes a
> connection to an external server. None of this is integrated into the
> binaries, so the generated binaries are fine. The program only affects those
> building from source but doesn't stay running, nor is installed onto the
> system. Binary distributions should be unaffected.
> I still advocate building from source (of course), but this does point out a
> few safety checks we should all abide by: check checksums on all downloaded
> packages (if available), and never build a package as root.

Excellent points Arthur and well worth noting in light of the recent announcement.
It would be good to for new users to take note of this information and put into practice.


W.D.McKinney (Dee)

--------- To unsubscribe, send email to <> with 'unsubscribe' in the message body.

This archive was generated by hypermail 2a23 : Thu Aug 01 2002 - 10:08:06 AKDT