On 5/31/24 09:44, Rich Pieri wrote:
OpenSSH is the vector used to invoke the back door embedded in xz. I'm
oversimplifying things, because the "simple" description is anything
but simple:
Sounds like I painted my brush a bit broad in blaming stupid systemd
when I should blame distributions for using stupid systemd.
From
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
> OpenSSH, the most popular sshd implementation, doesn’t link the
liblzma library, but Debian
> and many other Linux distributions add a patch to link sshd to
systemd <https://en.wikipedia.org/wiki/Systemd>, a program that loads
> a variety of services during the system bootup. Systemd, in turn,
links to liblzma, and this
> allows xz Utils to exert control over sshd.
The point remains that the code OpenSSH people reviewed, merged, tested,
and published was *not* vulnerable. But as part of using systemd, others
patched sshd to add a new dependency, adding a backdoor, and the
resulting code almost hit stable.
So, yes, I am also pissed at Debian for putting this unnecessarily
complex software (complex is bad) in their distribution.
I'm also pissed at Debian for going along with removing menu bars and
removing window drag bars and removing scroll bars and instead adding
big UI widgets and generally thinking my mouse-equipped Linux machine is
a thumb-operated "smartphone", but that's getting off topic.
-kb
_______________________________________________
Discuss mailing list
Discuss@driftwood.blu.org
https://driftwood.blu.org/mailman/listinfo/discuss
