severity #992545 normal tags #992545 security reassign #992545 cdimage.debian.org thanks
(Tagging this as a potential security issue, lowering severity probably too far, reassigning to cdimage.debian.org as this looks like a possible issue with the official CD images) That being said, Debian 10.9 has become Debian oldstable last weekend, and we released a point release in the mean time, so normal people are unlikely to to install from a Debian 10.9 image since we now have Debian 11.0 and Debian 10.10. On Fri, Aug 20, 2021 at 01:07:52AM +0200, Molly Millions wrote: > Something fishy is going on with the > > debian-10.9.0-amd64-netinst.iso > MD5: 73e74eef3d998d522f92295016d92fdc > SHA256: 8660593d10de0ce7577c9de4dab886ff540bc9843659c8879d8eea0ab224c109 I can confirm that the CD image that can be downloaded from https://cdimage.debian.org/mirror/cdimage/archive/10.9.0/amd64/iso-cd/debian-10.9.0-amd64-netinst.iso actually has those checksums. > I used this image to install a base system with VMWare player. After the > installation is done I login with root on the console and cat'ing the > /etc/shadow file shows a randomly generated user (AWkoc7HZ90) in the shadow > file that is *not visible* by using nano. If I ssh into the box as root the > shadow file doesn't reveal the user. Check the attached picture. I have installed from this image into a KVM VM (graphical installer, giving default answers to most questions) and I can confirm that /etc/shadow is just fine both from the running system and from the file system mounted into a rescue system booted from an read-only ISO. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
