BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Debian 12 in the Cloud
- Subject: [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- Date: Fri, 31 May 2024 10:07:29 -0700
- In-reply-to: <20240531124428.649ba044.Richard.Pieri@gmail.com>
- References: <a09a4ca0-bfc8-4c5c-ad30-e307be9e2cc1@borg.org> <f840e62cb5c88c336909575f0acc5365.squirrel@mail.mohawksoft.com> <3d52eef7-5aa4-49a0-b580-91183ca1b0ae@borg.org> <20240531124428.649ba044.Richard.Pieri@gmail.com>
On 5/31/24 09:44, Rich Pieri wrote: > OpenSSH is the vector used to invoke the back door embedded in xz. I'm > oversimplifying things, because the "simple" description is anything > but simple: Sounds like I painted my brush a bit broad in blaming stupid systemd when I should blame distributions for using stupid systemd. >From https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ > OpenSSH, the most popular sshd implementation, doesn?t link the liblzma library, but Debian > and many other Linux distributions add a patch to link sshd to systemd <https://en.wikipedia.org/wiki/Systemd>, a program that loads > a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this > allows xz Utils to exert control over sshd. The point remains that the code OpenSSH people reviewed, merged, tested, and published was *not* vulnerable. But as part of using systemd, others patched sshd to add a new dependency, adding a backdoor, and the resulting code almost hit stable. So, yes, I am also pissed at Debian for putting this unnecessarily complex software (complex is bad) in their distribution. I'm also pissed at Debian for going along with removing menu bars and removing window drag bars and removing scroll bars and instead adding big UI widgets and generally thinking my mouse-equipped Linux machine is a thumb-operated "smartphone", but that's getting off topic. -kb
- Follow-Ups:
- [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- References:
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Debian 12 in the Cloud
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Debian 12 in the Cloud
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] Debian 12 in the Cloud
- Prev by Date: [Discuss] Debian 12 in the Cloud
- Next by Date: [Discuss] "Enter a passphrase to unlock the volume"
- Previous by thread: [Discuss] Debian 12 in the Cloud
- Next by thread: [Discuss] Debian 12 in the Cloud
- Index(es):