Liste des Groupes | Revenir à col misc |
On Sun, 31 Mar 2024 13:38:32 -0400, Rich <rich@example.invalid> wrote:
David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:>
>On 3/31/24 08:38, John McCue wrote:>Thanks, here is another interesting link that describes how the issue>
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.
My understanding is that effectively the differentiating factor of if a
distro is impacted or not is if it uses systemd or not.
sshd supports compression. xz is an option for how things are compressed.
ssh supports zlib compression. It (ssh) does not offer lzma/xz as a
compression option.
>
xz got pulled into ssh on systemd systems because systemd supports
using xz/lzma for journald compression, and it is therefore a
dependency of libsystemd. Some distros patch sshd to link to
libsystemd so that their sshd can "notify" systemd that it is up via a
call to a libsystemd function.
Perhaps ssh is only impacted on systemd systems, but anything processing
untrusted xz compressed files, such as clamav is still vulnerable, so the
statement that only systems using systemd are vulnerable is not correct.
Any system using xz 5.6.0 or 5.6.1 is vulnerable.
Les messages affichés proviennent d'usenet.