Re: making Debian secure by default

To: debian-user@lists.debian.org
Subject: Re: making Debian secure by default
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 1 Apr 2024 08:43:46 -0400
Message-id: <[🔎] CAH8yC8nbdCeungdD--tzUp2gZU=mPL2-EKo9AcLyt3NGRr4DYQ@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] 20240401083337.f7yu4acqoxyyfgvs@n0nb.us>
References: <CAD8GWssBoRrCzW0TSUGxMeuY=y_bTM-nMuSO7_4g1Kyk79fgqQ@mail.gmail.com> <ZgSljhflfCtsnnCq@mail.bitfolk.com> <CAD8GWsswLPH327tvj64HkWuMfayXczJyyviSk9Um2CAHHjoovg@mail.gmail.com> <ZgVw+HFmMseszOcm@mail.bitfolk.com> <ZgWLmLCjcOTqhk2a@wooledge.org> <slrnv0bba0.1hf.curty@einstein.electron.org> <Zgbx8L7m3k92QWzm@mail.bitfolk.com> <20240329172333.7439c34e@jrenewsid.jretrading.com> <[🔎] CAJmb-Y=M67E3PDrgzYkHt98gbzef5-0+2q2RubwhGurxkaH1-g@mail.gmail.com> <[🔎] ZgoRo7jKKXSEV7Ai@mail.bitfolk.com> <[🔎] 20240401083337.f7yu4acqoxyyfgvs@n0nb.us>

On Mon, Apr 1, 2024 at 4:34 AM Nate Bargmann <n0nb@n0nb.us> wrote:
>
> * On 2024 31 Mar 20:46 -0500, Andy Smith wrote:
> > In the xz case the further you go looking for a root cause the wider
> > the implications are:
> >
> > Q: Why was there a back door in sshd?
> > A: Because some malicious code was linked to it.
> >
> > Q: How did malicious code get linked to it?
> > A: Its lzma dependency was compromised.
>
> From what I have read, lzma is not a direct dependency of openssh.  It
> turns out that it lzma is a dependency of libsystemd and that
> relationship affected openssh.
>
> Jacob Bachmeyer in analysis
> (https://lists.gnu.org/archive/html/automake/2024-04/msg00000.html)
> says:
>
> Lastly on this topic, some of the blame for this needs to fall on the
> systemd maintainers and their "katamari" architecture. There is no good
> reason for notifications of daemon startup to pull in liblzma, but using
> libsystemd for that purpose does exactly that, and ended up getting
> xz-utils targeted as a means of getting to sshd without the OpenSSH
> maintainers noticing.
>
> End quote.

It looks like SELinux is a larger problem than Systemd:
<https://www.openwall.com/lists/oss-security/2024/03/31/9>. Systemd
already dropped the liblzma dependency, but they did it for a smaller
initram image, and not to reduce attack surface.

Jeff

Reply to:

References:
- Re: making Debian secure by default
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>
- Re: making Debian secure by default
  - From: Andy Smith <andy@strugglers.net>
- Re: making Debian secure by default
  - From: Nate Bargmann <n0nb@n0nb.us>

Prev by Date: Re: help needed to get a bookworm install to succeed
Next by Date: Re: making Debian secure by default
Previous by thread: Re: making Debian secure by default
Next by thread: Re: making Debian secure by default
Index(es):
- Date
- Thread