On Sat, 30 Mar 2024 18:05:44 +0100, Martin wrote in message
<3824617.kQq0lBPeGt@???>:
> Hi!
>
> Thanks.
>
> aitor - 30.03.24, 02:54:31 CET:
> > On 29/3/24 23:02,dng@??? wrote:
> > > For those running testing or unstable your are urged to update the
> > > xz-utils package:
> > > https://lists.debian.org/debian-security-announce/2024/msg00057.html
> > >
> […]
> > As explained in this thread:
> >
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > the backdoor is in upstream xz-utils/liblzma and leads to ssh server
> > compromise.
> >
> > "Openssh does not directly use xz-utils/liblzma. However debian and
> > several other distributions patch openssh to support systemd
> > notification, and libsystemd does depend o xz-utils/liblzma"
>
> So I take it that Devuan is also affected.
..allegedly not, still a good assumption on any package coming
from the systemd fanbois, who really has shown no interest in
"supporting" us non-systemd "freeloaders."
> Would it be an idea to remove the Debian patch to support systemd
> notification? On the other hand that means another forked package.
..yup, yup.
> I have read Systemd is not at fault here and technically the backdoor
> is in xz-utils/liblzma.
..true, but as you'll have seen by now, it took them quite a while to
figure all that out, and the bad guys may have set up other backdoors
into ssh. There is after all a lot of WWIII talk going on these days,
even in those moderate circles, and ssh _IS_ a backdoor vector "worth
trying" into not just IT infrastructure, there are also ships downing
bridges.
> However… this again shows me that pulling in
> dependencies for non-critical stuff like Systemd notification into a
> binary like the SSH server does not really sound to a good idea to me.
..welcome onboard. ;o)
> There more dependencies you pull in the greater the likelihood of a
> security issue.
..yup.
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.