It’s a little ironic that OpenSSH, a product that most likely provides security for more computers on the Internet than any other, was distributed with a Trojan horse over this past week. The CERT advisory is here; if you downloaded the server code at anytime over the past week, you’d be wise to check to see if you got the infected version.


Oh just f*cking great. I just updated my Mac the other day using the automated software update. Now I have this:

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f

Biiiiiiiig problem. And I can’t find the original tarball downlaoded via the update mechanism to check it it’s MD5 sig. Grrrrrrrrrrrrr.

• Posted by: Jay Allen on Aug 9, 2002, 11:58 AM

For edification, here is the Apple security update doc. Now to figure out if it contains the tainted package.

• Posted by: Jay Allen on Aug 9, 2002, 12:24 PM
Please note that comments automatically close after 60 days; the comment spammers love to use the older, rarely-viewed pages to work their magic. If comments are closed and you want to let me know something, feel free to use the contact page!