BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Debian 12 in the Cloud



On 5/31/24 09:44, Rich Pieri wrote:
> OpenSSH is the vector used to invoke the back door embedded in xz. I'm
> oversimplifying things, because the "simple" description is anything
> but simple:

Sounds like I painted my brush a bit broad in blaming stupid systemd 
when I should blame distributions for using stupid systemd.


>From 
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

 > OpenSSH, the most popular sshd implementation, doesn?t link the 
liblzma library, but Debian
 > and many other Linux distributions add a patch to link sshd to 
systemd <https://en.wikipedia.org/wiki/Systemd>, a program that loads
 > a variety of services during the system bootup. Systemd, in turn, 
links to liblzma, and this
 > allows xz Utils to exert control over sshd.


The point remains that the code OpenSSH people reviewed, merged, tested, 
and published was *not* vulnerable. But as part of using systemd, others 
patched sshd to add a new dependency, adding a backdoor, and the 
resulting code almost hit stable.

So, yes, I am also pissed at Debian for putting this unnecessarily 
complex software (complex is bad) in their distribution.


I'm also pissed at Debian for going along with removing menu bars and 
removing window drag bars and removing scroll bars and instead adding 
big UI widgets and generally thinking my mouse-equipped Linux machine is 
a thumb-operated "smartphone", but that's getting off topic.


-kb