Date: Tue, 25 Sep 2012 16:34:24 +0100 From: Chris Rees <utisoft@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5) Message-ID: <CADLo839Gyw6zrXOkpN5aGv3RMNTWAAD-U4DkOL88dK4sW6_utA@mail.gmail.com> In-Reply-To: <5061C186.8090801@freebsd.org> References: <5061B556.3060306@infomarc.info> <5061C186.8090801@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 Sep 2012 15:37, "Matthew Seaman" <matthew@freebsd.org> wrote: > > > Dear all, > > If you install phpMyAdmin from ports, you shouldn't be vulnerable to the > security problem described in PMASA-2012-5: > > Firstly, the ports checks the SHA256 checksum of distributed > tarballs, which should prevent this sort of tampering. > > Secondly, the distfile the port uses is > phpMyAdmin-3.5.2.2-all-languages.tar.xz > not the .zip -- and so far only the .zip is known to have been > compromised. > > However, if you should see distfile checksum warnings when trying to > install phpMyAdmin please do let me know about it, if possible including > which sourceforge mirror you downloaded from and when. I hope it is > needless to say this, but if the SHA256 checksum doesn't match then > *don't install*. This is exactly the reason distinfo changes should be suspected and be accompanied by an explanation/diff. Thanks for sharing :) Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo839Gyw6zrXOkpN5aGv3RMNTWAAD-U4DkOL88dK4sW6_utA>