Closed erickpeirson closed 10 months ago
@erickpeirson thanks for reporting this discrepancy. We've relayed your findings to the SQL maintainers, who will follow up with a mitigation plan/ETA. FWIW, one of our ongoing investments is to verify/enforce package quality, to prevent discrepancies like this from occurring in the future.
As you have seen, this issue does not prevent the installation nor affect the usability of the package itself, hence why our testing didn't discover it. According to https://manpages.debian.org/bookworm/dpkg-dev/deb-md5sums.5.en.html the hashes are "not for any kind of security purpose."
We should have a fix for this published in around a week. Apologies for the inconvenience.
@erickpeirson 2.3.11-3 has been released with the fix.
@v-chojas Fantastic! Thanks for the quick fix
Describe the issue
In the Debian 11 unixodbc 2.3.11-2 AMD64 build at https://packages.microsoft.com/debian/11/prod/pool/main/u/unixodbc/, the checksums associated with the package do not match binaries included therein.
This is flagged as a critical security issue in some systems. Build 2.3.11-1 is not affected.
When did the issue occur?
This appears to have been introduced when build
2.3.11-2
was published on 10 October, 2023.If applicable, what package did you attempt to install, and from which repo?
Steps to Reproduce
/var/lib/dpkg/info/unixodbc.md5sums
to the checksums of the binaries actually installedActual Result
Checksums for
/usr/bin/iusql
and/usr/bin/isql
do NOT match the values inunixodbc.md5sums
Expected Result
Checksums for
/usr/bin/iusql
and/usr/bin/isql
DO match the values inunixodbc.md5sums