head 1.151;
access;
symbols;
locks; strict;
comment @# @;
1.151
date 2006.03.05.19.09.03; author rse; state Exp;
branches;
next 1.150;
commitid xemgegL9fZ40G1or;
1.150
date 2006.02.19.12.11.48; author rse; state Exp;
branches;
next 1.149;
commitid z0J9KQWUvD0LObmr;
1.149
date 2006.02.18.12.35.24; author rse; state Exp;
branches;
next 1.148;
commitid nJf0J1EVerJQY3mr;
1.148
date 2006.02.18.09.36.51; author rse; state Exp;
branches;
next 1.147;
commitid ixHGHdWjncLAZ2mr;
1.147
date 2005.12.14.20.25.20; author rse; state Exp;
branches;
next 1.146;
commitid OBJvJ3KfAHlBHCdr;
1.146
date 2005.12.03.18.22.15; author rse; state Exp;
branches;
next 1.145;
commitid cqfwCpi3ZZ6inccr;
1.145
date 2005.12.03.13.24.39; author rse; state Exp;
branches;
next 1.144;
commitid jJpBlZDXmyAcJacr;
1.144
date 2005.12.03.12.38.22; author rse; state Exp;
branches;
next 1.143;
commitid 6vzWJXRQtbzjtacr;
1.143
date 2005.10.19.09.20.04; author openpkg; state Exp;
branches;
next 1.142;
1.142
date 2005.10.17.16.11.22; author rse; state Exp;
branches;
next 1.141;
1.141
date 2005.09.10.15.14.37; author rse; state Exp;
branches;
next 1.140;
1.140
date 2005.09.06.13.27.25; author rse; state Exp;
branches;
next 1.139;
1.139
date 2005.09.05.16.11.13; author rse; state Exp;
branches;
next 1.138;
1.138
date 2005.09.05.13.52.22; author rse; state Exp;
branches;
next 1.137;
1.137
date 2005.07.28.12.09.46; author thl; state Exp;
branches;
next 1.136;
1.136
date 2005.07.28.11.11.43; author rse; state Exp;
branches;
next 1.135;
1.135
date 2005.07.28.07.54.36; author openpkg; state Exp;
branches;
next 1.134;
1.134
date 2005.07.08.13.50.54; author rse; state Exp;
branches;
next 1.133;
1.133
date 2005.06.23.18.39.47; author openpkg; state Exp;
branches;
next 1.132;
1.132
date 2005.06.22.16.00.08; author ms; state Exp;
branches;
next 1.131;
1.131
date 2005.06.22.08.25.25; author thl; state Exp;
branches;
next 1.130;
1.130
date 2005.06.21.16.46.31; author ms; state Exp;
branches;
next 1.129;
1.129
date 2005.06.11.16.41.33; author ms; state Exp;
branches;
next 1.128;
1.128
date 2005.04.20.15.36.41; author rse; state Exp;
branches;
next 1.127;
1.127
date 2005.04.20.11.30.05; author ms; state Exp;
branches;
next 1.126;
1.126
date 2005.02.24.15.55.52; author rse; state Exp;
branches;
next 1.125;
1.125
date 2005.01.17.12.38.19; author rse; state Exp;
branches;
next 1.124;
1.124
date 2005.01.11.15.10.01; author rse; state Exp;
branches;
next 1.123;
1.123
date 2005.01.11.14.58.04; author thl; state Exp;
branches;
next 1.122;
1.122
date 2004.12.17.16.01.47; author thl; state Exp;
branches;
next 1.121;
1.121
date 2004.12.16.21.00.58; author thl; state Exp;
branches;
next 1.120;
1.120
date 2004.12.15.16.53.28; author thl; state Exp;
branches;
next 1.119;
1.119
date 2004.11.29.15.35.08; author thl; state Exp;
branches;
next 1.118;
1.118
date 2004.11.29.14.51.12; author thl; state Exp;
branches;
next 1.117;
1.117
date 2004.10.20.08.08.54; author thl; state Exp;
branches;
next 1.116;
1.116
date 2004.10.15.15.40.30; author rse; state Exp;
branches;
next 1.115;
1.115
date 2004.10.14.15.25.04; author thl; state Exp;
branches;
next 1.114;
1.114
date 2004.10.13.06.58.31; author thl; state Exp;
branches;
next 1.113;
1.113
date 2004.09.15.12.55.56; author rse; state Exp;
branches;
next 1.112;
1.112
date 2004.09.13.13.40.57; author rse; state Exp;
branches;
next 1.111;
1.111
date 2004.08.15.10.17.53; author rse; state Exp;
branches;
next 1.110;
1.110
date 2004.08.04.14.00.16; author thl; state Exp;
branches;
next 1.109;
1.109
date 2004.07.22.14.34.44; author thl; state Exp;
branches;
next 1.108;
1.108
date 2004.07.20.07.59.49; author thl; state Exp;
branches;
next 1.107;
1.107
date 2004.07.20.07.04.14; author thl; state Exp;
branches;
next 1.106;
1.106
date 2004.07.08.13.14.44; author thl; state Exp;
branches;
next 1.105;
1.105
date 2004.07.06.14.04.55; author thl; state Exp;
branches;
next 1.104;
1.104
date 2004.06.11.14.43.17; author thl; state Exp;
branches;
next 1.103;
1.103
date 2004.06.11.12.08.07; author thl; state Exp;
branches;
next 1.102;
1.102
date 2004.06.11.08.12.38; author thl; state Exp;
branches;
next 1.101;
1.101
date 2004.06.05.11.33.51; author rse; state Exp;
branches;
next 1.100;
1.100
date 2004.05.21.16.06.26; author thl; state Exp;
branches;
next 1.99;
1.99
date 2004.05.19.21.03.24; author rse; state Exp;
branches;
next 1.98;
1.98
date 2004.05.19.19.47.41; author rse; state Exp;
branches;
next 1.97;
1.97
date 2004.05.12.13.19.09; author thl; state Exp;
branches;
next 1.96;
1.96
date 2004.05.07.20.03.20; author openpkg-cvs; state Exp;
branches;
next 1.95;
1.95
date 2004.05.05.13.18.55; author openpkg-cvs; state Exp;
branches;
next 1.94;
1.94
date 2004.05.03.08.42.55; author openpkg-cvs; state Exp;
branches;
next 1.93;
1.93
date 2004.04.29.20.04.07; author thl; state Exp;
branches;
next 1.92;
1.92
date 2004.04.19.08.06.35; author thl; state Exp;
branches;
next 1.91;
1.91
date 2004.04.15.18.09.53; author rse; state Exp;
branches;
next 1.90;
1.90
date 2004.04.07.16.24.59; author ms; state Exp;
branches;
next 1.89;
1.89
date 2004.04.07.12.45.54; author thl; state Exp;
branches;
next 1.88;
1.88
date 2004.04.05.12.56.08; author thl; state Exp;
branches;
next 1.87;
1.87
date 2004.04.05.12.48.29; author thl; state Exp;
branches;
next 1.86;
1.86
date 2004.04.01.21.01.13; author thl; state Exp;
branches;
next 1.85;
1.85
date 2004.03.18.10.02.38; author thl; state Exp;
branches;
next 1.84;
1.84
date 2004.03.12.14.45.10; author thl; state Exp;
branches;
next 1.83;
1.83
date 2004.03.09.14.43.35; author thl; state Exp;
branches;
next 1.82;
1.82
date 2004.03.08.14.09.51; author thl; state Exp;
branches;
next 1.81;
1.81
date 2004.03.05.16.07.14; author ms; state Exp;
branches;
next 1.80;
1.80
date 2004.02.27.14.59.15; author thl; state Exp;
branches;
next 1.79;
1.79
date 2004.02.25.09.26.00; author thl; state Exp;
branches;
next 1.78;
1.78
date 2004.01.16.12.43.44; author thl; state Exp;
branches;
next 1.77;
1.77
date 2004.01.08.08.03.57; author thl; state Exp;
branches;
next 1.76;
1.76
date 2003.12.17.11.59.24; author rse; state Exp;
branches;
next 1.75;
1.75
date 2003.12.04.15.21.12; author thl; state Exp;
branches;
next 1.74;
1.74
date 2003.11.28.11.21.06; author thl; state Exp;
branches;
next 1.73;
1.73
date 2003.11.25.13.37.59; author thl; state Exp;
branches;
next 1.72;
1.72
date 2003.10.30.10.48.39; author rse; state Exp;
branches;
next 1.71;
1.71
date 2003.10.28.14.46.56; author thl; state Exp;
branches;
next 1.70;
1.70
date 2003.10.19.07.16.29; author thl; state Exp;
branches;
next 1.69;
1.69
date 2003.09.30.12.47.11; author thl; state Exp;
branches;
next 1.68;
1.68
date 2003.09.24.08.09.34; author thl; state Exp;
branches;
next 1.67;
1.67
date 2003.09.24.08.08.10; author thl; state Exp;
branches;
next 1.66;
1.66
date 2003.09.19.08.14.36; author rse; state Exp;
branches;
next 1.65;
1.65
date 2003.09.17.06.59.37; author thl; state Exp;
branches;
next 1.64;
1.64
date 2003.09.16.10.21.12; author rse; state Exp;
branches;
next 1.63;
1.63
date 2003.09.15.13.27.23; author thl; state Exp;
branches;
next 1.62;
1.62
date 2003.09.15.11.33.39; author thl; state Exp;
branches;
next 1.61;
1.61
date 2003.08.28.08.37.00; author rse; state Exp;
branches;
next 1.60;
1.60
date 2003.08.06.15.26.42; author thl; state Exp;
branches;
next 1.59;
1.59
date 2003.08.06.13.07.50; author thl; state Exp;
branches;
next 1.58;
1.58
date 2003.08.05.08.47.06; author thl; state Exp;
branches;
next 1.57;
1.57
date 2003.08.04.09.12.56; author thl; state Exp;
branches;
next 1.56;
1.56
date 2003.07.10.14.22.48; author thl; state Exp;
branches;
next 1.55;
1.55
date 2003.07.10.09.54.16; author thl; state Exp;
branches;
next 1.54;
1.54
date 2003.07.07.13.48.08; author thl; state Exp;
branches;
next 1.53;
1.53
date 2003.06.11.11.04.36; author rse; state Exp;
branches;
next 1.52;
1.52
date 2003.06.03.12.11.24; author thl; state Exp;
branches;
next 1.51;
1.51
date 2003.05.16.09.39.04; author rse; state Exp;
branches;
next 1.50;
1.50
date 2003.04.07.15.30.36; author rse; state Exp;
branches;
next 1.49;
1.49
date 2003.03.30.12.09.22; author rse; state Exp;
branches;
next 1.48;
1.48
date 2003.03.20.20.17.31; author rse; state Exp;
branches;
next 1.47;
1.47
date 2003.03.20.16.21.59; author rse; state Exp;
branches;
next 1.46;
1.46
date 2003.03.18.15.55.42; author rse; state Exp;
branches;
next 1.45;
1.45
date 2003.03.18.15.38.30; author rse; state Exp;
branches;
next 1.44;
1.44
date 2003.03.18.15.26.42; author rse; state Exp;
branches;
next 1.43;
1.43
date 2003.03.18.10.12.57; author rse; state Exp;
branches;
next 1.42;
1.42
date 2003.03.14.21.17.45; author rse; state Exp;
branches;
next 1.41;
1.41
date 2003.03.04.15.37.39; author thl; state Exp;
branches;
next 1.40;
1.40
date 2003.03.04.13.06.10; author mlelstv; state Exp;
branches;
next 1.39;
1.39
date 2003.03.04.10.26.04; author rse; state Exp;
branches;
next 1.38;
1.38
date 2003.02.19.15.29.15; author rse; state Exp;
branches;
next 1.37;
1.37
date 2003.02.19.13.48.07; author thl; state Exp;
branches;
next 1.36;
1.36
date 2003.02.18.15.13.05; author thl; state Exp;
branches;
next 1.35;
1.35
date 2003.02.18.15.03.24; author ms; state Exp;
branches;
next 1.34;
1.34
date 2003.02.18.11.43.05; author openpkg; state Exp;
branches;
next 1.33;
1.33
date 2003.01.29.12.01.17; author thl; state Exp;
branches;
next 1.32;
1.32
date 2003.01.23.13.36.58; author thl; state Exp;
branches;
next 1.31;
1.31
date 2003.01.22.16.04.53; author thl; state Exp;
branches;
next 1.30;
1.30
date 2003.01.22.13.12.54; author rse; state Exp;
branches;
next 1.29;
1.29
date 2003.01.22.13.01.31; author thl; state Exp;
branches;
next 1.28;
1.28
date 2003.01.21.13.49.01; author thl; state Exp;
branches;
next 1.27;
1.27
date 2003.01.20.20.11.47; author thl; state Exp;
branches;
next 1.26;
1.26
date 2003.01.16.14.25.53; author thl; state Exp;
branches;
next 1.25;
1.25
date 2002.12.19.10.52.43; author rse; state Exp;
branches;
next 1.24;
1.24
date 2002.12.17.16.24.44; author rse; state Exp;
branches;
next 1.23;
1.23
date 2002.11.29.10.12.50; author rse; state Exp;
branches;
next 1.22;
1.22
date 2002.10.23.12.24.14; author rse; state Exp;
branches;
next 1.21;
1.21
date 2002.10.04.19.47.18; author rse; state Exp;
branches;
next 1.20;
1.20
date 2002.08.27.13.02.32; author ms; state Exp;
branches;
next 1.19;
1.19
date 2002.08.23.12.52.15; author rse; state Exp;
branches;
next 1.18;
1.18
date 2002.07.04.14.16.28; author rse; state Exp;
branches;
next 1.17;
1.17
date 2002.06.26.20.34.37; author rse; state Exp;
branches;
next 1.16;
1.16
date 2002.06.19.16.02.57; author rse; state Exp;
branches;
next 1.15;
1.15
date 2002.03.12.20.32.27; author rse; state Exp;
branches;
next 1.14;
1.14
date 2002.03.12.18.29.59; author rse; state Exp;
branches;
next 1.13;
1.13
date 2002.03.08.09.26.38; author rse; state Exp;
branches;
next 1.12;
1.12
date 2002.01.31.17.29.41; author rse; state Exp;
branches;
next 1.11;
1.11
date 2002.01.31.15.05.27; author rse; state Exp;
branches;
next 1.10;
1.10
date 2002.01.31.15.00.24; author rse; state Exp;
branches;
next 1.9;
1.9
date 2002.01.31.13.17.03; author rse; state Exp;
branches;
next 1.8;
1.8
date 2002.01.31.12.15.50; author rse; state Exp;
branches;
next 1.7;
1.7
date 2002.01.12.11.45.49; author rse; state Exp;
branches;
next 1.6;
1.6
date 2001.12.05.09.03.30; author rse; state Exp;
branches;
next 1.5;
1.5
date 2001.11.27.11.47.42; author rse; state Exp;
branches;
next 1.4;
1.4
date 2001.11.26.19.34.47; author rse; state Exp;
branches;
next 1.3;
1.3
date 2001.11.25.13.53.32; author rse; state Exp;
branches;
next 1.2;
1.2
date 2001.11.23.16.16.05; author rse; state Exp;
branches;
next 1.1;
1.1
date 2001.10.05.12.48.34; author rse; state Exp;
branches;
next ;
desc
@@
1.151
log
@link Tar SA into website
@
text
@
#use "page.inc" page=security
Security
Security
OpenPKG takes security very seriously. Experience has shown that security
through obscurity does not work. Rather, public disclosure allows for more
rapid and better solutions to security problems. This page addresses
OpenPKG's state of security with respect to the problems which could
potentially affect an OpenPKG installation.
Reporting of Incidents
Your notifications of security incidents should be reported to openpkg-security@@openpkg.org.
Expect to be requested by the Petidomo robot to send back a confirmation
mail before your notification is actually delivered to the OpenPKG team.
The Petidomo protection logic will not interfere with your concern, as the
reaction time is particularly fast.
Note: all reports unrelated to security sent to the above address are
silently ignored.
Security Policies
The OpenPKG project provides security advisories (SAs) and updated SRPMs
(UPDs) for packages of CORE+BASE class that belong to either
- the most recent official release of OpenPKG or
- the immediate predecessor of the most recent release.
According to this policy, security advisories and updated SRPMs are
now being issued for
- OpenPKG 2.5 CORE+BASE class packages
- OpenPKG 2.4 CORE+BASE class packages
Older releases are not maintained and therefore users are strongly
encouraged to upgrade to one of the supported releases mentioned above. Like
all development efforts, security corrections are first committed to the
OpenPKG-CURRENT branch. After adequate testing, the fix is retrofitted to
the supported OpenPKG-STABLE and OpenPKG-SOLID branch(es).
Security advisories are sent out by the OpenPKG project to
openpkg-announce@@openpkg.org and bugtraq@@securityfocus.com.
You are strongly advised to at least subscribe to
the moderated mailing list openpkg-announce@@openpkg.org.
Security Advisories
The complete list of OpenPKG security advisories follows:
[OpenPKG-SA-%0] |
%1 |
(HTML,
TXT)
|
Digital Signatures
The OpenPKG project uses GnuPG and
OpenPGP digital signatures to sign
security advisories and the associated SRPMs of
official OpenPKG releases.
In order to verify the digital signature of any security advisory or RPM
files, follow these steps:
- OpenPKG 2.x
OpenPKG 2.x has the capability to check signed packages using built-in
cryptographic tools. The OpenPKG OpenPGP public key is preinstalled and
appears as if it were a package. To verify RPM files, nothing more is
needed. Separate OpenPGP cryptography software is needed when verifying
security advisory texts or to sign packages, however.
- Install GnuPG Software
GnuPG is the preferred tool for working with OpenPGP. We recommend
installing the OpenPKG gnupg package from the OpenPKG
package repository.
Alternatively, you can fetch it from its official homepage
http://www.gnupg.org/ and then
build and install it manually. Make sure the program gpg is in
your $PATH. If you installed it via OpenPKG under prefix
you can simply use eval `prefix/etc/rc --eval openpkg
env` to accomplish this.
- Import the OpenPKG OpenPGP public key
You can import the OpenPGP public key of "OpenPKG <openpkg@@openpkg.org>"
into your key ring in one of the following ways:
- Directly from the master location (preferred):
$ lynx -source http://www.openpkg.org/openpkg.pgp | gpg --import
- From the keyserver of the PGP network:
$ gpg --recv-keys --keyserver pgp.openpkg.org 63C4CB9F
- From an existing OpenPKG hierarchy:
$ gpg --import prefix/etc/openpkg/openpkg.pgp
- Verify the integrity of the imported OpenPKG public key
You should always make sure the imported key is the correct one by
at least verifying its fingerprint. To verify the imported key's
fingerprint, run the following command:
$ gpg --fingerprint openpkg
Ensure that it prints the following fingerprint text:
6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F
- Verify the security advisory or distribution files
After building and installing GnuPG and integrating the OpenPKG public
key, the integrity and authenticity of OpenPKG security advisories and
RPM files may be verified.
- Security Advisory Verification
To verify a security advisory, pipe the message through the
command 'gpg --verify':
$ cat OpenPKG-SA-2005.001-perl.txt | gpg --verify
Ensure that it successfully responds with:
gpg: Good signature from "OpenPKG <openpkg@@openpkg.org>"
If instead it responds with (or something else):
gpg: BAD signature from "OpenPKG <openpkg@@openpkg.org>"
then it is a clear indication that the security advisory text is
invalid and not certified by the OpenPKG project.
- RPM File Verification
To verify a RPM file name.rpm (either source or
binary), run the following command on it:
$ openpkg rpm -v --checksig name.rpm
Ensure that it successfully responds with:
name.rpm:
name.rpm:
Header V3 DSA signature: OK
Header SHA1 digest: OK
MD5 digest: OK
V3 DSA signature: OK
If instead it responds with the text NOT OK rather than
OK or anything else for that matter, then it is a clear
indication that the RPM file is invalid and not certified by the
OpenPKG project.
@
1.150
log
@link SAs into website
@
text
@d93 1
@
1.149
log
@link OpenSSH SA into website
@
text
@d93 2
@
1.148
log
@link SAs into website
@
text
@d93 1
@
1.147
log
@link latest SAs into website
@
text
@d93 2
@
1.146
log
@link PHP SA into website
@
text
@d93 2
@
1.145
log
@add Perl SA to website
@
text
@d93 2
@
1.144
log
@add MySQL SA into website
@
text
@d93 1
@
1.143
log
@update website for OpenPKG 2.5
@
text
@d93 2
@
1.142
log
@link OpenSSL SA into website
@
text
@d58 1
a59 1
OpenPKG 2.3 CORE+BASE class packages
@
1.141
log
@link squid SA into website
@
text
@d93 1
@
1.140
log
@link OpenSSH SA into website
@
text
@d93 2
@
1.139
log
@link SA into website
@
text
@d93 1
@
1.138
log
@link into website
@
text
@d93 1
@
1.137
log
@SA-2005.016-fetchmail; CAN-2005-2335
@
text
@d93 1
@
1.136
log
@link spamassassin SA into website
@
text
@d93 1
@
1.135
log
@SA-2005.014-zlib; CAN-2005-1849
@
text
@d93 1
@
1.134
log
@link zlib SA into website
@
text
@d93 1
@
1.133
log
@link in OpenPKG-SA-2005.011-shtool and OpenPKG-SA-2005.012-sudo
@
text
@d93 1
@
1.132
log
@remove table of contents header to merge with main security secition, and
introduce small refinements
@
text
@d93 2
@
1.131
log
@shift security support towards 2.4 and 2.3, dropping 2.2
@
text
@a15 4
Page Contents
d18 1
a18 2
Page Contents
Security Incident Notifications
d25 1
a25 1
Security Incident Notifications
@
1.130
log
@first phase of security web pages edition
@
text
@d63 1
a64 1
OpenPKG 2.2 CORE+BASE class packages
@
1.129
log
@link new cvs, bzip2, gzip, and openpkg SAs into website
@
text
@d6 1
d8 7
d16 12
a27 5
OpenPKG takes security very seriously. Experience has shown that "security
through obscurity" does not work. Public disclosure allows for more rapid and
better solutions to security problems. In that vein, this page addresses
OpenPKG's status with respect to various known security holes, which could
potentially affect OpenPKG.
d29 1
d31 1
d35 1
a35 1
Notification of security incidents should be reported to
Security Advisories
d51 2
a52 2
The OpenPKG project provides security advisories and updated SRPMs for
packages of CORE+BASE class that belong to either
d59 2
a60 2
Following this policy, at this time, security advisories and updated SRPMs are
being issued for
d67 5
a71 5
Older releases are not maintained and users are strongly encouraged to upgrade
to one of the supported releases mentioned above. Like all development
efforts, security fixes are first brought into the OpenPKG-CURRENT branch.
After a some testing, the fix is retrofitted into the supported OpenPKG-STABLE
and OpenPKG-SOLID branch(es).
d74 8
a81 6
Security Advisories are sent out by the OpenPKG project to openpkg-announce@@openpkg.org and bugtraq@@securityfocus.com.
You are strongly advised to at least subscribe to the moderated mailing list openpkg-announce@@openpkg.org.
d84 1
a84 1
The complete list of OpenPKG Security Advisories follow:
d240 4
a243 5
The OpenPKG project uses GnuPG
and OpenPGP digital signatures
to sign security advisories (see above) and the distribution files
(*.rpm) of official
OpenPKG releases.
d246 2
a247 1
In order to verify the digital signatures, follow these steps:
d252 1
a252 1
OpenPKG 2.x has the capability to check signed packages with built-in
d254 3
a256 3
appears as if it were a package. OpenPGP is only necessary to verify
things different from packages, i.e. an advisory text, or to sign
packages.
d258 1
a258 1
Install GnuPG
d260 9
a268 9
This is the preferred tool for working with OpenPGP. We recommend you to
install it by using the OpenPKG
gnupg package.
Alternatively you can fetch it from its official homepage http://www.gnupg.org/ and build/install
it manually. Then make sure the program gpg is in your
$PATH. If you installed it via OpenPKG under prefix
you can simply use eval `prefix/etc/rc --eval openpkg env` for this.
d270 1
a270 1
Import the OpenPKG's OpenPGP public key
d272 2
a273 3
You can import the OpenPGP public
key of "OpenPKG <openpkg@@openpkg.org>" into your
key-ring in one of the following ways:
d285 3
a287 3
You always should make sure the imported key is the correct one by
verifying at least its fingerprint. For this, run the following
command:
d291 1
a291 1
Make sure it prints the following fingerprint:
d299 3
a301 2
Now you are ready to verify the integrity and authentication of an OpenPKG
security advisory or an OpenPKG RPM distribution file.
d306 2
a307 2
To verify a security advisory, just pipe the message through the
following command:
d309 1
a309 1
$ gpg --verify
d311 1
a311 1
Make sure it successfully responds with
d319 2
a320 2
you can be sure the message was tampered with or not provided by the
OpenPKG project.
d322 1
a322 1
RPM Distribution File Verification
d324 1
a324 1
To verify a RPM file name.rpm (both source or
d327 1
a327 1
$ rpm -v --checksig name.rpm
d329 1
a329 1
Make sure it successfully responds with:
d331 11
a341 8
name.rpm: md5 gpg OK
If instead it responds with (or something else):
name.rpm: md5 GPG NOT OK
you can be sure the RPM was tampered with or not provided as
a released part of the OpenPKG project.
@
1.128
log
@add mysql SA
@
text
@d78 4
@
1.127
log
@link in forgotten published SAs
@
text
@d78 1
@
1.126
log
@update website for OpenPKG 2.3 release
@
text
@d78 2
@
1.125
log
@link SAs into website
@
text
@d45 1
a46 1
OpenPKG 2.1 CORE+BASE class packages
@
1.124
log
@link SAs into website
@
text
@d78 2
@
1.123
log
@SA-2005.001-perl; CAN-2004-0452, CAN-2004-0976
@
text
@d79 2
@
1.122
log
@SA-2004.054-samba; CAN-2004-0882, CAN-2004-0930, CAN-2004-1154
@
text
@d78 1
@
1.121
log
@SA-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065
@
text
@d78 1
@
1.120
log
@SA-2004.052-vim; CAN-2004-1138
@
text
@d78 1
@
1.119
log
@SA-2004.051-imapd; CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015 and more
@
text
@d78 1
@
1.118
log
@commit SAs to CVS which previously appeared through direct web site editing
@
text
@d78 1
@
1.117
log
@update security overview for OpenPKG 2.2
@
text
@d78 6
@
1.116
log
@link mod_ssl SA to website
@
text
@d45 1
a46 1
OpenPKG 2.0 CORE+BASE class packages
@
1.115
log
@SA-2004.043-tiff; CAN-2004-0803, CAN-2004-0886
@
text
@d78 3
a80 2
@
1.114
log
@remove traces of inactive bugdb
@
text
@d78 2
@
1.113
log
@link latest SAs to website
@
text
@d27 1
a27 2
silently ignored. They should be sent to openpkg-bugdb@@openpkg.org instead.
@
1.112
log
@link kerberos SA to website
@
text
@d79 2
@
1.111
log
@flush
@
text
@d79 2
@
1.110
log
@SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599
@
text
@d79 2
@
1.109
log
@SA-2004.034-php; CAN-2004-0594, CAN-2004-0595
@
text
@d79 1
@
1.108
log
@link in OpenPKG-SA-2004.032-apache
@
text
@d79 2
@
1.107
log
@release OpenPKG 2.1 web pages
@
text
@d79 1
@
1.106
log
@SA-2004.031-dhcpd; CAN-2004-0460, CAN-2004-0461
@
text
@d46 1
a47 1
OpenPKG 1.3 CORE+BASE class packages
d196 1
a196 1
OpenPKG 2.0
d198 1
a198 1
OpenPKG 2.0 has the capability to check signed packages with built-in
@
1.105
log
@SA-2004.030-png; CAN-2002-1363
@
text
@d79 1
@
1.104
log
@SA-2004.029-apache; CAN-2004-0492
@
text
@d79 1
@
1.103
log
@SA-2004.028-subversion; CAN-2004-0413
@
text
@d79 1
@
1.102
log
@OpenPKG-SA-2004.027-cvs, CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418
@
text
@d79 1
@
1.101
log
@add missing entry
@
text
@d79 1
@
1.100
log
@SA-2004.025-rsync; CAN-2004-0426
@
text
@d79 1
@
1.99
log
@link Neon SA into website
@
text
@d79 1
@
1.98
log
@link CVS and Subversion SAs into website
@
text
@d79 1
@
1.97
log
@link in SA-2004.021-apache
@
text
@d79 2
@
1.96
log
@add 2004.020-ssmtp
@
text
@d79 1
@
1.95
log
@SA-2004.019-kolab
@
text
@d79 1
@
1.94
log
@link in SA-2004.018-proftpd
@
text
@d79 1
@
1.93
log
@SA-2004.017-png
@
text
@d79 1
@
1.92
log
@link in OpenPKG-SA-2004.015-ethereal and OpenPKG-SA-2004.016-neon
@
text
@d79 1
@
1.91
log
@add missing SAs
@
text
@d79 2
@
1.90
log
@publish OpenPKG-SA-2004.010-tcpdump
@
text
@d79 3
@
1.89
log
@SA-2004.011-sharutils
@
text
@d80 1
@
1.88
log
@remove superflous dash
@
text
@d79 1
@
1.87
log
@SA-2004.009-mc; CAN-2003-1023
@
text
@d79 1
a79 1
@
1.86
log
@make SA-2004.008-squid visible
@
text
@d79 1
@
1.85
log
@SA-2004.007-openssl; CAN-2004-0079, CAN-2004-0112
@
text
@d79 1
@
1.84
log
@SA-2004.006-uudeview
@
text
@d79 1
@
1.83
log
@SA-2004.005-mutt; CAN-2004-0078
@
text
@d79 1
@
1.82
log
@OpenPKG-SA-2004.004-libtool
@
text
@d79 1
@
1.81
log
@SA-2004.003-libxml (CAN-2004-0110)
@
text
@d79 1
@
1.80
log
@fix typos and point out the importance of package classes
@
text
@d79 1
@
1.79
log
@flush pending updates for OpenPKG 2.0
@
text
@d34 2
a35 2
The OpenPKG project provide security advisories for the following
releases of OpenPKG:
d38 2
a39 2
The most recent official release of OpenPKG.
The predecessor of the most recent release.
d42 2
a43 2
Following this policy, at this time, security advisories are being
released for CORE and BASE class packages of:
d46 2
a47 2
OpenPKG 2.0
OpenPKG 1.3
d53 2
a54 2
After a couple of days and some testing, the fix is retrofitted into the
supported OpenPKG-STABLE and OpenPKG-SOLID branch(es).
d254 2
a255 2
you can be sure the RPM was tampered with or not provided by the
OpenPKG project.
@
1.78
log
@SA-2004.002-tcpdump; CAN-2002-0380, CAN-2002-1350, CAN-2003-0108, CAN-2003-0989, CAN-2003-1029, CAN-2004-0055, CAN-2004-0057
@
text
@d46 1
a47 1
OpenPKG 1.2
d167 8
d179 1
a179 1
href="ftp://ftp.openpkg.org/release/1.3/SRC/gnupg-1.2.2-1.3.0.src.rpm">
@
1.77
log
@SA-2004.001-inn
@
text
@d79 1
@
1.76
log
@link in SA lftp and SA cvs
@
text
@d79 1
@
1.75
log
@SA-2003.051-rsync; CAN-2003-0962
@
text
@d79 2
@
1.74
log
@SA-2003.050-screen
@
text
@d79 1
@
1.73
log
@SA-2003.049-zebra; CAN-2003-0795, CAN-2003-0858
@
text
@d79 1
@
1.72
log
@link in PostgreSQL security advisory
@
text
@d79 2
@
1.71
log
@SA-2003.046-apache; CAN-2003-0542
@
text
@d79 1
@
1.70
log
@SA-2003.045-ircd; CAN-2003-0864
@
text
@d79 1
@
1.69
log
@SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
@
text
@d79 1
@
1.68
log
@SA-2003.043-proftpd; CAN unknown
@
text
@d79 1
@
1.67
log
@SA-2003.042-openssh; CAN-2003-0786, CAN-2003-0787
@
text
@d79 1
@
1.66
log
@link Sendmail SA into website
@
text
@d79 1
@
1.65
log
@SA-2003.040-openssh; CAN-2003-0693
@
text
@d79 1
@
1.64
log
@flush pending changes
@
text
@d79 1
@
1.63
log
@SA-2003.039-perl; CAN-2003-0615
@
text
@d79 1
a79 1
@
1.62
log
@SA-2003.038-mysql; CAN-2003-0780
@
text
@d79 1
@
1.61
log
@link Sendmail SA into website
@
text
@d79 1
@
1.60
log
@OpenPKG-SA-2003.036-perl-www; CAN-2003-0615
@
text
@d79 1
@
1.59
log
@OpenPKG-SA-2003.035-openssh; CAN-2003-0190
@
text
@d79 1
@
1.58
log
@simplify and update security support statement; mention SOLID; reference more recent gnupg
@
text
@d79 1
@
1.57
log
@complete --eval example; use new pgp.openpkg.org
@
text
@d39 1
a39 3
OpenPKG-STABLE, if at least 2 releases are based on it.
The previous OpenPKG-STABLE when a "new stable" does not yet
have 2 releases based on it.
d46 1
a47 1
OpenPKG 1.1
d54 1
a54 1
supported OpenPKG-STABLE branch(es).
d150 1
a150 1
href="ftp://ftp.openpkg.org/release/1.1/SRC/gnupg-1.0.7-1.1.0.src.rpm">
@
1.56
log
@SA-2003.034-imagemagick; CAN-2003-0455
@
text
@d158 1
a158 1
you can simply use "prefix/etc/rc openpkg env" for this.
d169 1
a169 1
$ gpg --recv-keys --keyserver pgp.mit.edu 63C4CB9F
@
1.55
log
@SA-2003.033-infozip; CAN-2003-0282
@
text
@d81 1
@
1.54
log
@SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442
@
text
@d81 1
@
1.53
log
@link in gzip SA
@
text
@d81 1
@
1.52
log
@SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands
@
text
@d81 1
@
1.51
log
@link GnuPG SA into website
@
text
@d81 1
@
1.50
log
@link in Samba SA
@
text
@d81 1
@
1.49
log
@activate Sendmail SA
@
text
@d81 1
@
1.48
log
@link OpenSSL SA into website
@
text
@d81 1
@
1.47
log
@link in mutt SA
@
text
@d81 1
@
1.46
log
@activate MySQL SA
@
text
@d81 3
@
1.45
log
@link in Samba SA
@
text
@d81 1
@
1.44
log
@add mod_ssl SA
@
text
@d81 1
@
1.43
log
@activate OpenSSL SA
@
text
@d81 1
@
1.42
log
@link in QPopper SA
@
text
@d81 1
@
1.41
log
@SA-2003.017-file
@
text
@d81 1
@
1.40
log
@SA-2003.016; CAN-2002-133
@
text
@d81 1
@
1.39
log
@link tcpdump SA into website
@
text
@d81 2
@
1.38
log
@activate already the OpenSSL SA for easier testing
@
text
@d81 1
@
1.37
log
@SA-2003.012-dhcpd; CAN-2003-0039
@
text
@d81 1
@
1.36
log
@SA-2003.011-lynx; CAN-2002-1405
@
text
@d81 1
@
1.35
log
@Put new PHP advisory online.
@
text
@d81 1
@
1.34
log
@new SA-2003.009-w3m
@
text
@d81 1
@
1.33
log
@OpenPKG-SA-2003.008 fix mysql double free bug
@
text
@d81 1
@
1.32
log
@SA-2003.007-wget; CAN-2002-1344
@
text
@d81 1
@
1.31
log
@SA-2003.006-python; CAN-2002-1119
@
text
@d81 1
@
1.30
log
@flush everything prepared for OpenPKG 1.2
@
text
@d81 1
@
1.29
log
@SA-2003.005-php; CAN-2002-1396
@
text
@d17 1
a17 1
d44 2
a45 1
At this time, security advisories are being released for:
d48 2
a49 2
OpenPKG 1.1 (CORE and BASE class packages only)
OpenPKG 1.0
d60 4
a64 2
You are strongly advised to subscribe to this
moderated mailing list.
d71 7
a77 3
- [OpenPKG-SA-%0] %1
(HTML,
TXT)
d79 2
a80 1
d102 1
@
1.28
log
@SA-2003.004-cvs; CAN-2003-0015
@
text
@d73 1
@
1.27
log
@SA-2003.003-vim; CAN-2002-1377
@
text
@d73 1
@
1.26
log
@mount'em
@
text
@d73 1
@
1.25
log
@commit pending changes to CVS
@
text
@d73 2
@
1.24
log
@add SAs
@
text
@d47 1
a47 1
OpenPKG 1.1 (CORE and BASE class packages only)
@
1.23
log
@release SA
@
text
@d73 4
@
1.22
log
@add SA for Apache/mod_ssl
@
text
@d73 2
@
1.21
log
@add security advisory
@
text
@d73 1
@
1.20
log
@Fix broken links to a broken or nonexisting keyserver. Suggest the more
reliable MIT keyserver for PGP key service. Please review this change for
political considerations.
@
text
@d47 1
d73 8
a81 7
d102 1
a102 1
href="ftp://ftp.openpkg.org/release/1.0/SRC/gnupg-1.0.6-1.0.0.src.rpm">
@
1.19
log
@add -v option as recommended by Andrew Griffiths
@
text
@d117 1
a117 1
$ gpg --recv-keys --keyserver keyserver.pgp.com 63C4CB9F
@
1.18
log
@activate SA
@
text
@d78 2
d165 1
a165 1
$ rpm --checksig name.rpm
@
1.17
log
@add SA
@
text
@d77 1
@
1.16
log
@SA 2002.004 apache
@
text
@d76 1
@
1.15
log
@add SA related stuff
@
text
@d75 1
@
1.14
log
@better optical appearance
@
text
@d74 1
a74 1
#
@
1.13
log
@add SA list
@
text
@d67 3
a69 3
[OpenPKG-SA-%0] %1
(HTML,
TXT)
d71 1
a71 2
@
1.12
log
@Cleanup and minor corrections.
@
text
@d65 1
d67 3
a69 2
[OpenPKG-SA-%0] %1
(HTML, TXT)
d71 1
d73 2
a74 1
#
d76 1
@
1.11
log
@finally decided to use a dot
@
text
@d8 1
a8 2
OpenPKG takes security very seriously.
Experience has shown that "security
d51 1
a51 1
to one of the supported releases mentioned above. Like all development
d84 1
a84 2
In order to verify the digital signatures you first have to
follow these steps:
d93 1
a93 1
Alternatively you can also fetch it from its official homepage name.rpm (both source or
d166 2
a167 2
you can be sure the RPM was tampered or provided not by the OpenPKG
project.
@
1.10
log
@provide better listing
@
text
@d71 1
a71 1
#
@
1.9
log
@add anchors
@
text
@d64 1
a64 1
The complete list of OpenPKG Security Advisories (OSA) follow:
d66 4
d71 1
a71 1
# [OpenPKG-SA-2001:000] template
@
1.8
log
@update our OpenPGP stuff for our new and final key
@
text
@d31 1
d33 1
d70 1
d72 1
@
1.7
log
@do not show template
@
text
@a8 1
# Most security problems brought to our attention are corrected within 48 hours.
d96 1
a96 1
key of "The OpenPKG Project <openpkg@@openpkg.org>" into your
d102 1
a102 1
$ gpg --recv-keys --keyserver keyserver.pgp.com 113E6CFC
d118 1
a118 1
8D99 3BBD 6420 7D81 4625 EEC2 463B E53A 113E 6CFC
d137 1
a137 1
gpg: Good signature from "The OpenPKG Project "
d141 1
a141 1
gpg: BAD signature from "The OpenPKG Project "
@
1.6
log
@information about digital signatures
@
text
@d66 1
a66 1
[OpenPKG-SA-2001:000] template
@
1.5
log
@adjust text
@
text
@d69 98
@
1.4
log
@Rewording and other corrections.
@
text
@d8 3
a10 2
OpenPKG takes security very seriously. Most security problems brought to our
attention are corrected within 48 hours. Experience has shown that "security
d16 2
d32 24
d66 1
a66 1
[OSA-000] template
@
1.3
log
@add OpenPGP key
@
text
@d9 1
a9 1
attention are corrected within 48 hours. Experience has shown that "security
d17 1
a17 2
Notification of security incidents should be
reported to