[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security Breach Alert - CVS Home File Download Area Compromised
From: |
Todd Denniston |
Subject: |
Re: Security Breach Alert - CVS Home File Download Area Compromised |
Date: |
Wed, 26 Jan 2005 09:42:26 -0500 |
Arno Schuring wrote:
>
> >
> > When I download a source "*.tar.gz" and corresponding "*.tar.gz.sig", I
> > get
> > file sizes consistent with values on download page and a PGP signature
> > check
> > reports a valid file.
>
> I haven't been able to download cvs-1.11.18.tar.gz.sig, does not even create
> an empty file. When clicking 'info' on the download page, it says 'file
> size: 0.0'. This is using Firefox 1.0 on Windows XP.
<SNIP>
Another Data point.
Platform: Linux 2.4.26
Browser1: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.1)
Browser2: Lynx Version 2.8.4rel.1 (17 Jul 2001)
with mozilla, right clicking and selecting "Save link target as" results in
-rw-r--r-- 1 696918 Jan 26 08:57 cvs-1.12.11-Darwin-7.7.0-powerpc.gz
for
https://ccvs.cvshome.org/files/documents/19/681/cvs-1.12.11-Darwin-7.7.0-powerpc.gz
with mozilla, right clicking and selecting "Save link target as" results in
no file downloaded for the following link.
https://ccvs.cvshome.org/files/documents/19/682/cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
However I get no errors.
with lynx
`lynx -accept_all_cookies -source \
https://ccvs.cvshome.org/files/documents/19/682/cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
\ >cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig`
I get a 66 byte file.
I grabbed what could be Conrad's pub key (it verifies a message from the guy
posting to this list as Conrad :) from MIT,
http://pgp.mit.edu:11371/pks/lookup?search=Conrad+T.+Pino&op=index&fingerprint=on
and imported into a key ring.
-rw-r--r-- 1 2462 Jan 26 09:20 ConradTPinoKey.html
-rw-r--r-- 1 5822 Jan 26 09:30 Conradmsg.txt
-rw-r--r-- 1 696918 Jan 26 08:57 cvs-1.12.11-Darwin-7.7.0-powerpc.gz
-rw-r--r-- 1 66 Jan 26 09:22
cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
gpg --verify Conradmsg.txt
gpg: Signature made Wed Jan 26 01:45:40 2005 EST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3DF1 DE6C 1AFD 8847 08F1 470A B34C DBCB 9BCD 3A3D
gpg --verify cvs-1.12.11-Darwin-7.7.0-powerpc.gz.sig
gpg: Signature made Mon Jan 17 14:55:38 2005 EST using DSA key ID 9BCD3A3D
gpg: Good signature from "Conrad T. Pino <Conrad@Pino.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 3DF1 DE6C 1AFD 8847 08F1 470A B34C DBCB 9BCD 3A3D
So it seems Something is NOT right with the download page, but if the key
from MIT is correct it looks like the above files are ok (from here).
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
- RE: Security Breach Alert - CVS Home File Download Area Compromised, (continued)
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/24
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Larry Jones, 2005/01/25
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Bernd Petrovitsch, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Derek Price, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Arno Schuring, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised,
Todd Denniston <=
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Mark D. Baushke, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Mark D. Baushke, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- Re: Security Breach Alert - CVS Home File Download Area Compromised, Larry Jones, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/26
- RE: Security Breach Alert - CVS Home File Download Area Compromised, Conrad T. Pino, 2005/01/28