![]() Ii liblzma5:i386 5.2.5-2ubuntu1 i386 XZ-format compression library Ii liblzma5:amd64 5.2.5-2ubuntu1 amd64 XZ-format compression library Ii xz-utils 5.2.5-2ubuntu1 amd64 XZ-format compression dpkg -l *liblzma* Ii pxz 4.999.99~beta5+gitfcfea93-2 amd64 parallel LZMA compressor using liblzma Looks like the LTS' of this world might have escaped this? My *buntu 22.04 LTS seems to prove that a bit of constipation might actually not be a bad dpkg -l *xz* Checked my system, I had version “5.6.0-0.2” of xz-utils installed." Re: It Was In Debian Unstable - *buntu LTS This is a direct consequence of systemd's fundamentally flawed design and implementation.īTW, Red Hat's CVE is crystal-clear about this vulnerability: "While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma." And since systemd's services generally run as root by default, systemd was able to spread that dodgy library's malware into just about anything - fortunately in this case, just sshd. systemd trusted a dodgy shared library that should never have been anywhere near an init system. Just take an objective look at the facts. The original vulnerability was/is enabled by systemd. ![]() This is why updating macOS is a pain in the arse. Which means it's impossible to modify executables like sshd without rebooting and disabling SIP in single user mode. Second, macOS has System Integrity Protection enabled by default. That means if they get modified, the signatures won't validate unless someone can compromise the root CA that ultimately signed those executables. Even if it could do that in principle, Macs have two more defences which stop that from happening.Īpple-supplied executables are signed. ![]() So any malicious code in that library can't infect the init system on macOS. Launchd, Apple's equivalent of systemd, doesn't have a dependency on liblzma. Re: systemd was responsible for injecting the vulnerability into the SSH daemon For instance, WTF does an init tool have to have any sort of dependency on any shared compression library? This creates a rat-hole of spaghetti dependencies that almost nobody can hope to understand or debug. systemd interferes in the operation, configuration and maintenance of too many system services and components. Unlike init (the original PID 1) which only did two things and did them properly. It tries to do far too many things and does all of them badly. Systemd is totally fucked up for two main reasons. They are the voices of sanity who speak truth to the delusional anti-vaxxer nutjobs of the open source world. The toxic liblzma posed little to no risk until the systemd cancer got involved.Īre systemd-haters like the anti-fluoridationists of the open-source world? Systemd was responsible for injecting the vulnerability into the SSH daemon. It was only indirectly affecting in the same sense that novichok indirectly affects the elimination of many of Putin's critics. The vulnerability was in a compression library directly affecting SSH, and only indirectly affecting systemd.
0 Comments
Leave a Reply. |