Hi!

Thanks.

aitor - 30.03.24, 02:54:31 CET:
> On 29/3/24 23:02,dng@??? wrote:
> > For those running testing or unstable your are urged to update the
> > xz-utils package:
> > https://lists.debian.org/debian-security-announce/2024/msg00057.html
[…]
> As explained in this thread:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> the backdoor is in upstream xz-utils/liblzma and leads to ssh server
> compromise.
>
> "Openssh does not directly use xz-utils/liblzma. However debian and
> several other distributions patch openssh to support systemd
> notification, and libsystemd does depend o xz-utils/liblzma"

So I take it that Devuan is also affected.

Would it be an idea to remove the Debian patch to support systemd
notification? On the other hand that means another forked package.

I have read Systemd is not at fault here and technically the backdoor is
in xz-utils/liblzma. However… this again shows me that pulling in
dependencies for non-critical stuff like Systemd notification into a binary
like the SSH server does not really sound to a good idea to me.

There more dependencies you pull in the greater the likelihood of a
security issue.

Best,
--
Martin