@GossiTheDog @wdormann
What is it with Debian and patces that end up being security holes?
OpenSSH, OpenSSL...
Top-level
@GossiTheDog @wdormann OpenSSH, OpenSSL... 11 comments
@sjuvonen @GossiTheDog @wdormann As I understand it, Debian took a heavily audited piece of code (OpenSSH), added a patch to use a library from an untrusted source, who then (allegedly deliberately) added a back door. What am I missing? @leeloo You’re the one throwing accusations. Explain how Fedora and openSUSE among others using the same libs and being similarly affected is Debian’s fault? Everybody’s doing it because xz is a dependency of systemd. Clout chasing by pissing on foundational open source projects would probably fly better on LinkedIn. @sjuvonen I'm also not the one claiming Debian added a patch, that was from the post I replied to. And if systemd really requires non-systemd daemons to link to random compression libraries, systemd is a lot worse than I have ever claimed. @emberquill @leeloo @sjuvonen @wdormann yep, good take I think based on what we know so far, disclaimer that I am an idiot In mid 2023 the presumed attacker got OSS Fuzzer to decrease detection on XZ, in 2022 it looks like significant pressure from multiple accounts was used against the then maintainer and creator to hand over the project. To me it looks like a lot of work went into this over an extended period, and it all got rumbled due to one person being bored and looking into performance. @GossiTheDog @emberquill I am just learning about this same as every one else, but these kinds of attacks seem to be high effort, high risk since its public with a good audit trail and all it takes is one curious soul to say "hmm that's weird" to blow the whole thing up. I don't know if there are other better hidden ops out there, but the ones that are confirmed seem to get detected within days and weeks, rarely months and years, or at least that's the layman's impression I have. Is it worth it? @raven667 @GossiTheDog Debian-unstable was vulnerable for a whole month, and the only reason why this exploit was noticed at all was because one person thought their ssh authentication was too slow and started investigating. It could have easily remained unnoticed for another month or two. @GossiTheDog @emberquill @leeloo @sjuvonen @wdormann once again, some weird nerd’s obsession saves the day. Weird nerds are the heroes we need, but definitely don’t deserve. @emberquill @leeloo @sjuvonen @GossiTheDog @wdormann The question that occurs is why does compatibility with systemd-notify require any more than a write to a well known pipe? xz should not be in the picture here. *especially* with something as critical as ssh. |
@leeloo @GossiTheDog @wdormann Maybe read the announcements before spouting stupid hot takes?