From owner-freebsd-ports@FreeBSD.ORG Tue Sep 25 15:34:26 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CE84106564A; Tue, 25 Sep 2012 15:34:26 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id AA6E18FC16; Tue, 25 Sep 2012 15:34:25 +0000 (UTC) Received: by eekc50 with SMTP id c50so856110eek.13 for ; Tue, 25 Sep 2012 08:34:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UYuwTF7UBmpM6THJP407R9Bkam0WsVXrAXTS/AjTDWs=; b=WRKdlDCcsaTemCSkkZbuzXDXNS1/CBzEm8mc5yqZThXs+6EZXJBdPyRx/ZozIggkD9 jMzq5e+ltOoJ34LUpxFfoEXOilWldwA4zX97kmmMH/GeQDqS50IZeAO+bczI1XhJdCO/ WVmhUDjSLLnclraHCMor2ugz4AwZH9wY5RokLKgaZkT5MpbW/o+jPKDt3IuAc3mswueW w43vPNIhhRXpU8rbgMmBs1DYCAIVs+/73jbFL9GDSOBISVpvZ9jhDdgrZVfwmTTbmbve vhZ1hRzEOM7y3wjjDiYPqSKhLEvrS/GzxT5+Rjg5e0PFvsKszeXClZrOIy9QjRziQ+X+ 0yfg== MIME-Version: 1.0 Received: by 10.14.218.134 with SMTP id k6mr21081245eep.14.1348587264900; Tue, 25 Sep 2012 08:34:24 -0700 (PDT) Received: by 10.204.10.141 with HTTP; Tue, 25 Sep 2012 08:34:24 -0700 (PDT) Received: by 10.204.10.141 with HTTP; Tue, 25 Sep 2012 08:34:24 -0700 (PDT) In-Reply-To: <5061C186.8090801@freebsd.org> References: <5061B556.3060306@infomarc.info> <5061C186.8090801@freebsd.org> Date: Tue, 25 Sep 2012 16:34:24 +0100 Message-ID: From: Chris Rees To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ports@freebsd.org Subject: Re: Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:34:26 -0000 On 25 Sep 2012 15:37, "Matthew Seaman" wrote: > > > Dear all, > > If you install phpMyAdmin from ports, you shouldn't be vulnerable to the > security problem described in PMASA-2012-5: > > Firstly, the ports checks the SHA256 checksum of distributed > tarballs, which should prevent this sort of tampering. > > Secondly, the distfile the port uses is > phpMyAdmin-3.5.2.2-all-languages.tar.xz > not the .zip -- and so far only the .zip is known to have been > compromised. > > However, if you should see distfile checksum warnings when trying to > install phpMyAdmin please do let me know about it, if possible including > which sourceforge mirror you downloaded from and when. I hope it is > needless to say this, but if the SHA256 checksum doesn't match then > *don't install*. This is exactly the reason distinfo changes should be suspected and be accompanied by an explanation/diff. Thanks for sharing :) Chris