[Discuss] Debian 12 in the Cloud
Kent Borg
kentborg at borg.org
Fri May 31 13:07:29 EDT 2024
On 5/31/24 09:44, Rich Pieri wrote:
> OpenSSH is the vector used to invoke the back door embedded in xz. I'm
> oversimplifying things, because the "simple" description is anything
> but simple:
Sounds like I painted my brush a bit broad in blaming stupid systemd
when I should blame distributions for using stupid systemd.
>From
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
> OpenSSH, the most popular sshd implementation, doesn’t link the
liblzma library, but Debian
> and many other Linux distributions add a patch to link sshd to
systemd <https://en.wikipedia.org/wiki/Systemd>, a program that loads
> a variety of services during the system bootup. Systemd, in turn,
links to liblzma, and this
> allows xz Utils to exert control over sshd.
The point remains that the code OpenSSH people reviewed, merged, tested,
and published was *not* vulnerable. But as part of using systemd, others
patched sshd to add a new dependency, adding a backdoor, and the
resulting code almost hit stable.
So, yes, I am also pissed at Debian for putting this unnecessarily
complex software (complex is bad) in their distribution.
I'm also pissed at Debian for going along with removing menu bars and
removing window drag bars and removing scroll bars and instead adding
big UI widgets and generally thinking my mouse-equipped Linux machine is
a thumb-operated "smartphone", but that's getting off topic.
-kb
More information about the Discuss
mailing list