[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Notice (Re: [SECURITY] [DSA 531-1] New php4 packages ..)

Hello,
When doing the usual "apt-get upgrade" on the security sources.list, these packets "want" to be installed: 

33ebccfeda79653d305c2ebc5416b331  php4-imap_4%3a4.1.2-7.0.1_i386.deb
3b6588b6fa8f873b9a7e49c1fcbb0c72  php4_4%3a4.1.2-7.0.1_i386.deb
 (both with mtime july 22th)

Whereas in this advisory, these are the respective checksums:


http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_i386.deb
      Size/MD5 checksum:   376838 0faa6391096915c65f1f724b651241f5
    http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_i386.deb
      Size/MD5 checksum:   582310 fcaf92f17db9813ab02fd7fbafef9dff
My buddy has looked up "3b6588b6fa8f873b9a7e49c1fcbb0c72" in google and has found: 
http://ftp.debian.org/debian/dists/woody-proposed-updates/php4_4.1.2-7.0.1_i386.changes
which when checked with gpg gives:
gpg: Signature made Thu Jul 22 11:42:37 2004 MEST using DSA key ID C6CEA0C9
gpg: Good signature from "Adam Conrad <adconrad@0c3.net>"
gpg:                 aka "Adam Conrad <adconrad@0c3.net>"
..
Primary key fingerprint: C8B2 CB3E 3225 49BB 5ED2  0002 BE3C ED47 C6CE A0C9
(Looking for some evidence that this is the valid key of the maintainer, I've found http://lists.debian.org/debian-newmaint/2002/04/msg00062.html which has been signed with that same key, ok.)
So in the end this just means that a new security release has been made without a new advisory, and you should check the signatures yourself - consider this email as little help on the way to establish your own trust chain.. 

Cheers,
Christian.
Reply to: