:: Re: [DNG] [SECURITY] [DSA 5649-1] x…
Top Page
Delete this message
Reply to this message
Author: Amin Bandali
Date:  
To: Jeremy Phelps via Dng
Subject: Re: [DNG] [SECURITY] [DSA 5649-1] xz-utils security update
Jeremy Phelps via Dng wrote:

>> On Mar 30, 2024, at 13:05, Martin Steigerwald <martin@???> wrote:

[...]
>>
>> So I take it that Devuan is also affected.
>>
>
> I checked with ldd and confirmed that Devuan's sshd is linked with libsystemd.


Not quite. The libsystemd.so.0 shared library on Devuan is
actually provided by the libelogind-compat package, as a symlink
to libelogind.so.0 from the libelogind0 package:

$ dpkg -S libsystemd.so.0
libelogind-compat:amd64: /lib/x86_64-linux-gnu/libsystemd.so.0

$ readlink /usr/lib/x86_64-linux-gnu/libsystemd.so.0
libelogind.so.0

$ dpkg -S libelogind.so.0
libelogind0:amd64: /lib/x86_64-linux-gnu/libelogind.so.0
libelogind0:amd64: /lib/x86_64-linux-gnu/libelogind.so.0.35.0

Which, unlike libsystemd, does *not* depend on liblzma from xz-utils:

$ apt-cache depends libelogind0
libelogind0
Depends: libc6
Depends: libcap2

So Devuan is likely safe, at least with respect to that part of the
attack.