[Discuss] Debian 12 in the Cloud
Rich Pieri
richard.pieri at gmail.com
Fri May 31 12:44:28 EDT 2024
On Fri, 31 May 2024 08:50:02 -0700
Kent Borg <kentborg at borg.org> wrote:
> But how in the hell could a compromise of xz put a backdoor into
> sshd‽‽ Because systemd patches sshd…because systemd.
It didn't. There is no vulnerability in OpenSSH.
There is no vulnerability in OpenSSH patched to work with systemd's
logging facilities. The vulnerability lies in systemd's use of xz.
OpenSSH is the vector used to invoke the back door embedded in xz. I'm
oversimplifying things, because the "simple" description is anything
but simple:
https://x.com/fr0gger_/status/1774342248437813525
https://www.linkedin.com/posts/rekunkel_great-infographic-about-the-xz-outbreak-activity-7180237206685409281-ITXL
And in fact, systemd was about to *remove* the xz dependency when the
backdoor was discovered. It's possible that this announcement caused
the actors behind the backdoor to accelerate their plans, which in turn
may have contributed to its discovery.
--
\m/ (--) \m/
More information about the Discuss
mailing list