vsftpd in the news
Misha Shnurapet
shnurapet at fedoraproject.org
Tue Jul 5 03:11:11 UTC 2011
There's something to consider about Chris Evans blog post as of July 3 [1]:
> An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor.
> $ gpg ./vsftpd-2.3.4.tar.gz.asc
> gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C
> gpg: BAD signature from "Chris Evans <chris at scary.beasts.org>"
> The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted.
> There is no obfuscation.
I have a question: how does that relate to our package building process, and are GPG signatures verified?
Thanks.
[1] http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
--
Best regards,
Misha Shnurapet, Fedora Project Contributor
Email: shnurapet AT fedoraproject.org, IRC: misha on freenode
https://fedoraproject.org/wiki/shnurapet, GPG: 00217306
More information about the devel
mailing list