Liste des Groupes | Revenir à col misc |
On 2024-03-31 18:26, Rich wrote:I'm one hundred percent sure state level actors are already doing this in numerous small auxiliary libraries as well as python pip, rust, go and others.Grant Taylor <gtaylor@tnetconsulting.net> wrote:>On 3/31/24 08:38, John McCue wrote:Yes, this seems to have been part of the "connection".Thanks, here is another interesting link that describes how the issueMy understanding is that effectively the differentiating factor of if
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.
a distro is impacted or not is if it uses systemd or not.
Purportedly sshd itself doesn't use xz.It does not. Directly that is.
But sshd built on / for systemd distros end up having xz added as aSome distros, in their zeal to "systemd all the things" patch OpenSSH
library / dependency because of systemd compatibility because systemd
does use xz for things.
to link it to a systemd library for logging purposes. That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.
As such, my supposition is that, things like *BSD, Slackware, andThey are not, because their OpenSSH is not linked to libxz/lzma in any
Gentoo (OpenRC old default) aren't affected because they don't have
-> use systemd.
way.
But.... this is nearly a "Reflections on Trusting Trust" [1] level
opsec. attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec.
attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.
A well funded bad actor will likely find a target to do their thing. They did not attack systemd directly, but a small auxiliary library from another project, one that had little attention from developers. Once this hole is plugged, they will seek another one.
>
That was a two year investment to plant a mole. There might be others.
>
>
Les messages affichés proviennent d'usenet.