* On 2024 01 Apr 16:55 -0500, Charles Curley wrote: > On Mon, 1 Apr 2024 19:00:29 +0000 > Andy Smith <andy@strugglers.net> wrote: > > > In my view a great example of the "people other than me just need to > > get good" fallacy merged with the group of people predisposed to > > hate systemd. > > > > It could have been any direct or indirect dependency of sshd here. > > I'm quite sure almost none of them have the required resources and > > processes to detect something like this. > > Easy, now. No-one is attacking systemd, and I don't think anyone wanted > to start a systemd war. This could also have happened under System V > initialization. AIUI (please correct me if I am in error), any dependency chain that then depends on something else could create a vulnerability. I am rather surprised to see that openssh-server has so many dependencies: Depends: adduser, libpam-modules, libpam-runtime, lsb-base, openssh-client (= 1:9.2p1-2+deb12u2), openssh-sftp-server, procps, ucf, debconf (>= 0.5) | debconf-2.0, runit-helper (>= 2.14.0~), libaudit1 (>= 1:2.2.1), libc6 (>= 2.36), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.11), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4) Not all are libraries, but if IUC, libc6 shows to depend on libgcc-s1, so if that library could be compromised, then openssh-server could be vulnerable. It's quite possible that I am wrong (hopefully) or we have an even more massive problem. > I have no doubt that this sort of thing has happened in the past, and I > fully expect it will happen again in the future. However, the defect > has been caught and repaired. The system for dealing with > vulnerabilities is working, if not perfectly. The question now is: what > lessons can we learn from it. From what I am seeing right now discussions are centering around comparing the file list associated with a VCS tag and a release tarball, and somehow verifying the identity of contributors/committers. I'm sure other ideas are being discussed that I've not read. Suffice it to say, at the moment this is not being swept under the proverbial rug. - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819
Attachment:
signature.asc
Description: PGP signature