AFAIK all the current attacks on MD5 still require that the bad guy gets to pick *both* files.
Presumably we can trust that the people posting this security advisory are not auditing and
then hashing a file that was supplied by a "bad guy", but are instead working from known-good
sources -- so their hashes should be safe to use.
That said... seriously, everyone should be moving to SHA-256, just cuz. Convenient access to
SHA-1 (in the form of sha1sum) is probably still more widespread, though, and even it isn't