Re: xz backdoor prevention and hosts.deny?

To: debian-security@lists.debian.org
Subject: Re: xz backdoor prevention and hosts.deny?
From: Gian Piero Carrubba <gpiero@rm-rf.it>
Date: Mon, 1 Apr 2024 11:48:07 +0200
Message-id: <[🔎] mhadowwpgfyx5btpvkfuaidacynogy5ulfqsqdjxkhtc3difro@k77yh4iwk57h>
In-reply-to: <kOGZUcP2qWCN6nORejvCvGVpXeyx5FSXZoubVYzHqrvWqJ5jgnYo-_MZnM4jORkyku46hZHEme1MxEWkk78wUxFMrKTMXKZ9ZkZjfR1wRx0=@proton.me>
References: <kOGZUcP2qWCN6nORejvCvGVpXeyx5FSXZoubVYzHqrvWqJ5jgnYo-_MZnM4jORkyku46hZHEme1MxEWkk78wUxFMrKTMXKZ9ZkZjfR1wRx0=@proton.me>

* [Sun, Mar 31, 2024 at 09:28:46PM +0000] Nick Sal:

With respect to debian testing, assume we filter SSH access only to asubnet using the files host.{deny,allow} (see below).Would this prevent the attack if a malicious payload was not sent fromthe allowed subnet?

I've not seen any reference to this. One could argue that tcpwrappers'check should happen in an early stage, so it could have helped. Butthat's just speculation and I would consider the system vulnerableunless someone knowledgeable (I'm not) says otherwise.

Moreover, would it have helped if additionally allowing only public-keyauthentication for SSH?

All sources I've read agree that this was not sufficient (actually, themalicious code resided in the function verifying the key signatures).


Best,
Gian Piero.

Reply to:

Next by Date: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Next by thread: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Index(es):
- Date
- Thread