:: Re: [DNG] [SECURITY] [DSA 5649-1] x…
Top Page
This message is part of the following thread:
M-++\the complete thread tree sorted by date
M\MMMJeremy Phelps at <-
MMMMLorenz at ->
Delete this message
Reply to this message
Author: Amin Bandali
Date:  
To: Jeremy Phelps via Dng
Subject: Re: [DNG] [SECURITY] [DSA 5649-1] xz-utils security update
Jeremy Phelps via Dng wrote:

>> On Mar 30, 2024, at 13:05, Martin Steigerwald <martin@???> wrote:
[...]
>>
>> So I take it that Devuan is also affected.
>>
>
> I checked with ldd and confirmed that Devuan's sshd is linked with libsystemd.

Not quite. The libsystemd.so.0 shared library on Devuan is
actually provided by the libelogind-compat package, as a symlink
to libelogind.so.0 from the libelogind0 package:

$ dpkg -S libsystemd.so.0
libelogind-compat:amd64: /lib/x86_64-linux-gnu/libsystemd.so.0

$ readlink /usr/lib/x86_64-linux-gnu/libsystemd.so.0
libelogind.so.0

$ dpkg -S libelogind.so.0
libelogind0:amd64: /lib/x86_64-linux-gnu/libelogind.so.0
libelogind0:amd64: /lib/x86_64-linux-gnu/libelogind.so.0.35.0

Which, unlike libsystemd, does *not* depend on liblzma from xz-utils:

$ apt-cache depends libelogind0
libelogind0
Depends: libc6
Depends: libcap2

So Devuan is likely safe, at least with respect to that part of the
attack.
This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] eventually: the sbin mergeRe: [DNG] eventually: the sbin merge->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)