============================================================================== 17 Feb 2005 UPDATE: Everything is OK Full details below. Two e-mail messages + MD5 sums following. ============================================================================== From izto xx asic-linux com mx Thu Feb 17 13:24:18 2005 Date: Thu, 17 Feb 2005 13:24:18 -0600 (CST) From: Felipe Sanchez To: checkinstall-list xx asic-linux com mx Subject: Security issue The server hosting the checkinstall files was compromised sometime around Feb-13-2005 and Feb-16-2005. Apparently the attacker did not reach the checkinstall file repository but it is advised that if you downloaded any file in that time frame you should not trust it until we have finished verifying all checksums. We'll post them as soon as possible, in a few hours probably. Felipe. ============================================================================== From izto xx asic-linux com mx Thu Feb 17 15:44:03 2005 Date: Thu, 17 Feb 2005 15:44:02 -0600 (CST) From: Felipe Sanchez To: checkinstall-list xx asic-linux com mx Subject: Verification sums OK The MD5 sums for all original files in the checkinstall's author's computer are included as an attachment. I have verified all files in the server's repository and found these differences only: checkinstall-1.2.1-pak.tgz: FAILED checkinstall-1.3.0beta-1.i386.rpm: FAILED checkinstall-1.3.0beta-pak.tgz: FAILED checkinstall-1.3.0beta.tgz: FAILED checkinstall-1.3.0beta2.tgz: FAILED checkinstall-1.4.0beta2.tgz: FAILED checkinstall-1.5.3-i386-1.tgz: FAILED checkinstall-1.5.3-i386-81.tgz: FAILED The last two (Both 1.5.3 binary releases for Slackware) are the ones of most concern. I verified the files inside and found the difference to be in the FAQ file in the docs. Everything else is exactly like the original files in my computer so I'm probably to blame for bad version keeping on those files ;-) No worries there. The former ones in that list were not verified as thoroughly, but I'd think the differences in those cases are likely to be caused by similar causes. Anyway, I've updated the server repository with all my original files (And even added some pre-historic versions of checkinstall while I was at it ;-) ) to be sure. If you downloaded some file from the list above I suggest you delete it and get it again from the main server once it's back online. Just to make it clear: I am sure no tampering was done to any file in the checkinstall source and binary repository. I updated it from my original files just to be on the safe side (And so we can have 100% reliable MD5 sums from now on!). Felipe. ============================================================================== 7e7f7d835a6210217a1a287ce430ffaf checkinstall-0.9 4fb0dc22b40a4ed3f6eace3c0758592b checkinstall-1.0-BaP 6ed7215003db3ff109033c96a981eeb2 checkinstall-1.0-en-pak.tgz 604ec8c69de7470ae0a4bea7ccb3ea46 checkinstall-1.0-pak.tgz c85d03d01ac165d1bf166ab23d1b18cd checkinstall-1.1.tgz cde0c2a90a2d86db3bf12ff8cfea9623 checkinstall-1.2-pak.tgz f19901c2bdf934a3fbd8b150da8c0df4 checkinstall-1.2.1-pak.tgz b71fb1c4450ad2da94747d06e22817de checkinstall-1.2.1.tgz 39314497d8381252f9e0dc8cf70cbf7d checkinstall-1.2.tgz 26366b6d3571cb4e7c8674acc7812f00 checkinstall-1.3.0-1.i386.rpm bb153e188c076fe9b17299f056c6b64f checkinstall-1.3.0-pak.tgz f0e93ebab34cf41ad74c76c6ca1b9f4a checkinstall-1.3.0.tgz fdd9d86eafef82028508f5aabfbcc7b4 checkinstall-1.3.0beta-1.i386.rpm e4e1f4918e79abb5ca3f65015f58fe00 checkinstall-1.3.0beta-pak.tgz da269645ce17b38a76932dde290603ae checkinstall-1.3.0beta.tgz 913d37e01cfe7e4a9585ee42a36cddba checkinstall-1.3.0beta2.tgz 431c047a60f875c915c436c0495028e2 checkinstall-1.3.0beta3-1.i386.rpm 96eac308549bf6fb3e15f49a32fbfd99 checkinstall-1.3.0beta3-pak.tgz ae9ddb80c4608970b6daa012904e5b30 checkinstall-1.3.0beta3.tgz 9a69ef72aa61e8c9aaaf4b290aa95251 checkinstall-1.3.1-1.i386.rpm 7762b6aa69d79e00f2ab63a164a640fb checkinstall-1.3.1-pak.tgz 5b608b36b0074990a6729da2f66cc2e3 checkinstall-1.3.1.tgz 1eb8504b7a2546b72e743e70821d52b3 checkinstall-1.3.2-1.i386.rpm b49349789818b6cb88d1d921e8173638 checkinstall-1.3.2-pak.tgz 5de5b8feba104f57c857ba34c162d0d8 checkinstall-1.3.2.tgz 227fba529cea3ad0b0719d780bc4376c checkinstall-1.4.0-1.i386.rpm 7c562d6171a079300131b51f498931d7 checkinstall-1.4.0-pak.tgz fa44c697ae9c117d2c1483f18447b5ec checkinstall-1.4.0.tgz 351448f05374917283d5f45f113b47cc checkinstall-1.4.0beta1-1.i386.rpm 5296878f67328759bea0899cdad036c0 checkinstall-1.4.0beta1-pak.tgz 406c3f43eb2721aece113a8e979673b9 checkinstall-1.4.0beta1.tgz bdf87d5aea5fbd6e81bf4b40a4ac980e checkinstall-1.4.0beta2.tgz 7305ada5639ae1d479c31054f5b0be13 checkinstall-1.4.1-1.i386.rpm 4835c29d83b6c108993441e22d058122 checkinstall-1.4.1-1.i386.tgz 1d5eae99abe1566ba4e8fda9d40a7d3a checkinstall-1.4.1-pak.tgz f3f06c990ed5001f9d6af30c41962723 checkinstall-1.4.1.tgz b70a28cab745326ea4f189531c0164ec checkinstall-1.5.0-1.i386.rpm 667af704d3447fecfd110e586546d326 checkinstall-1.5.0-pak.tgz 37e88c157489b2855b297b263cd1b5fa checkinstall-1.5.0.tgz 1e38e565183ce579ea1577520ed6e50d checkinstall-1.5.0beta1.tgz 65d5fdc82ac24eb594273d2ea7f2ee51 checkinstall-1.5.0beta2.tgz 8393391091f0400f91dbe489b28ef929 checkinstall-1.5.1-1.i386.rpm f7fa1a2de6c1d4b762796af9ab9cdeae checkinstall-1.5.1-i386-1.tgz dd418f56c483014f5759b09aa59ea42d checkinstall-1.5.1.tgz bb811a82346a92bb74f8bf95dc96f4eb checkinstall-1.5.2-i386-1.tgz e79f4fda9c4ff5e9ff052009a01ea7cb checkinstall-1.5.2.tgz b429de2ea8759a7b080bb0bf3ca902c1 checkinstall-1.5.3-1.i386.rpm 566f993c4d49fc7034e1d65a3a61647c checkinstall-1.5.3-i386-1-2.tgz 566f993c4d49fc7034e1d65a3a61647c checkinstall-1.5.3-i386-1.tgz 1d88140e0cbd7f1de76d08796c3260c9 checkinstall-1.5.3-i386-81-2.tgz 1d88140e0cbd7f1de76d08796c3260c9 checkinstall-1.5.3-i386-81.tgz 744af19b796bedbb79c74e8c08f8792f checkinstall-1.5.3.tgz 51c302ab72d677a8935b581197f32c8e checkinstall-1.6.0beta1.tgz 077ec4eacbcc82f84946439ba526bee9 checkinstall-1.6.0beta1a.tgz 6f9e8d46c4e5afa1ee5a881114ee3b9e checkinstall-1.6.0beta2.tgz 61f7ecbc4856026b33c4619be0d6e4eb checkinstall-1.6.0beta3.tgz 08625d11eb843055d38ed1bd2404dca6 checkinstall-en.html 032f56908863bc609c7a981702561a41 checkinstall_1.5.0-1_i386.deb 0815d9d2d5404d3f075e3ac3663b5547 checkinstall_1.5.1-1_i386.deb ad8eb57ac1472d13c7f0e9d443888db8 checkinstall_1.5.3-1_i386.deb 576d04f2a4d79f4e045faa9afc6e81f8 checkinstall_1.5.3-2_i386.deb ==============================================================================