Notice (Re: [SECURITY] [DSA 531-1] New php4 packages ..)
Hello,
When doing the usual "apt-get upgrade" on the security sources.list,
these packets "want" to be installed:
33ebccfeda79653d305c2ebc5416b331 php4-imap_4%3a4.1.2-7.0.1_i386.deb
3b6588b6fa8f873b9a7e49c1fcbb0c72 php4_4%3a4.1.2-7.0.1_i386.deb
(both with mtime july 22th)
Whereas in this advisory, these are the respective checksums:
http://security.debian.org/pool/updates/main/p/php4/php4-imap_4.1.2-7_i386.deb
Size/MD5 checksum: 376838 0faa6391096915c65f1f724b651241f5
http://security.debian.org/pool/updates/main/p/php4/php4_4.1.2-7_i386.deb
Size/MD5 checksum: 582310 fcaf92f17db9813ab02fd7fbafef9dff
My buddy has looked up "3b6588b6fa8f873b9a7e49c1fcbb0c72" in google
and has found:
http://ftp.debian.org/debian/dists/woody-proposed-updates/php4_4.1.2-7.0.1_i386.changes
which when checked with gpg gives:
gpg: Signature made Thu Jul 22 11:42:37 2004 MEST using DSA key ID C6CEA0C9
gpg: Good signature from "Adam Conrad <adconrad@0c3.net>"
gpg: aka "Adam Conrad <adconrad@0c3.net>"
..
Primary key fingerprint: C8B2 CB3E 3225 49BB 5ED2 0002 BE3C ED47 C6CE A0C9
(Looking for some evidence that this is the valid key of the
maintainer, I've found
http://lists.debian.org/debian-newmaint/2002/04/msg00062.html which
has been signed with that same key, ok.)
So in the end this just means that a new security release has been
made without a new advisory, and you should check the signatures
yourself - consider this email as little help on the way to establish
your own trust chain..
Cheers,
Christian.
Reply to: