BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Debian 12 in the Cloud

Subject: [Discuss] Debian 12 in the Cloud
From: richard.pieri at gmail.com (Rich Pieri)
Date: Fri, 31 May 2024 12:44:28 -0400
In-reply-to: <3d52eef7-5aa4-49a0-b580-91183ca1b0ae@borg.org>
References: <a09a4ca0-bfc8-4c5c-ad30-e307be9e2cc1@borg.org> <f840e62cb5c88c336909575f0acc5365.squirrel@mail.mohawksoft.com> <3d52eef7-5aa4-49a0-b580-91183ca1b0ae@borg.org>

On Fri, 31 May 2024 08:50:02 -0700
Kent Borg <kentborg at borg.org> wrote:

> But how in the hell could a compromise of xz put a backdoor into
> sshd?? Because systemd patches sshd?because systemd.

It didn't. There is no vulnerability in OpenSSH.

There is no vulnerability in OpenSSH patched to work with systemd's
logging facilities. The vulnerability lies in systemd's use of xz.
OpenSSH is the vector used to invoke the back door embedded in xz. I'm
oversimplifying things, because the "simple" description is anything
but simple:

https://x.com/fr0gger_/status/1774342248437813525
https://www.linkedin.com/posts/rekunkel_great-infographic-about-the-xz-outbreak-activity-7180237206685409281-ITXL

And in fact, systemd was about to *remove* the xz dependency when the
backdoor was discovered. It's possible that this announcement caused
the actors behind the backdoor to accelerate their plans, which in turn
may have contributed to its discovery.

-- 
\m/ (--) \m/

Follow-Ups:
- [Discuss] Debian 12 in the Cloud
  - From: kentborg at borg.org (Kent Borg)

References:
- [Discuss] Debian 12 in the Cloud
  - From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
  - From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Debian 12 in the Cloud
  - From: kentborg at borg.org (Kent Borg)

Prev by Date: [Discuss] Debian 12 in the Cloud
Next by Date: [Discuss] Debian 12 in the Cloud
Previous by thread: [Discuss] Debian 12 in the Cloud
Next by thread: [Discuss] Debian 12 in the Cloud
Index(es):
- Date
- Thread