:: Re: [DNG] [SECURITY] [DSA 5649-1] x…
Página superior
Este mensaje es parte del siguiente hilo:
M-++\El árbol completo de hilos, ordenados por fecha
M\MMMDidier Kryn, mensaje del <-
MMMMAmin Bandali, mensaje del ->
Eliminar este mensaje
Responder a este mensaje
Autor: Jeremy Phelps
Fecha:  
A: dng
Asunto: Re: [DNG] [SECURITY] [DSA 5649-1] xz-utils security update


> On Mar 30, 2024, at 13:05, Martin Steigerwald <martin@???> wrote:
>
> Hi!
>
> Thanks.
>
> aitor - 30.03.24, 02:54:31 CET:
>> On 29/3/24 23:02,dng@??? wrote:
>>> For those running testing or unstable your are urged to update the
>>> xz-utils package:
>>> https://lists.debian.org/debian-security-announce/2024/msg00057.html
> […]
>> As explained in this thread:
>>
>> https://www.openwall.com/lists/oss-security/2024/03/29/4
>>
>> the backdoor is in upstream xz-utils/liblzma and leads to ssh server
>> compromise.
>>
>> "Openssh does not directly use xz-utils/liblzma. However debian and
>> several other distributions patch openssh to support systemd
>> notification, and libsystemd does depend o xz-utils/liblzma"
>
> So I take it that Devuan is also affected.
>

I checked with ldd and confirmed that Devuan's sshd is linked with libsystemd.

> Would it be an idea to remove the Debian patch to support systemd
> notification? On the other hand that means another forked package.
>

It's easier than that. You just need to add --without-systemd to the flags passed to the configure script
when building it.

Este mensaje se envió a las siguientes listas de correo:
dng
Información de la lista de correo | Mensajes cercanos		<-Re: [DNG] eventually: the sbin mergeRe: [DNG] eventually: the sbin merge->

Donate to Dyne.org

dyne.org open discussions
administrado por dyne.org hackers		Lurker (versión 2.3)