There's something to consider about Chris Evans blog post as of July 3 [1]: > An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor. > $ gpg ./vsftpd-2.3.4.tar.gz.asc > gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C > gpg: BAD signature from "Chris Evans <chris@xxxxxxxxxxxxxxxx>" > The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. > There is no obfuscation. I have a question: how does that relate to our package building process, and are GPG signatures verified? Thanks. [1] http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html -- Best regards, Misha Shnurapet, Fedora Project Contributor Email: shnurapet AT fedoraproject.org, IRC: misha on freenode https://fedoraproject.org/wiki/shnurapet, GPG: 00217306 -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
