From: rich@example.invalid
noel wrote:
> On Fri, 29 Mar 2024 20:38:32 +0000, Sylvain Robitaille wrote:
>
>> On 2024-03-29, I wrote:
>>
>>> Note that Slackware-Current has shipped xz-5.6.1 since it was
>>> updated on 2024-03-09. I have no system on which I can test
>>> whether the vulnerability impacts Slackware-current, but I wanted
>>> to warn those who use it.
>>
>> Upon further study, I'm led to believe that Slackware is unaffected
>> (possibly even in Slackware-Current). The malicious code apparently
>> specifically targets RedHat and Debian derivative build
>> environments, and at least on my Slackware-15.0 and older systems,
>> liblzma is not linked into the OS-provided sshd binary.
>
> I'm sure everyones seen Pats Post on the subject that you are
> referencing where he already confirmed he does not link in systemd
> crud that dragsa in liblzma.
>
> lessons here - always sign your release packages, and with keys held
> by you and not your server, always check validity of such d/l'd
> files... ummmm... especially when your a distro packager /sigh/
And helps not when one of your upstream dependencies has a determined
and patient individual run a multi-year op. to backdoor that
dependency. Which is what the news about the xz backdoor is
indicating. The individual responsible has been slowly working this op
over the course of a few years.
You can sign your release packages, which indicate they came from you.
And you can verify the signatures of your dependences to verify they
came from the dependency author. But if the dependency author starts
running a "backdoor op" on your dependency, you are owned non-the-less.
You verified you were using the proper, official, dependency. It's
just that the proper, official, one is the one that has been
backdoored.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
