←back to thread

182 points yarapavan | 1 comments | | HN request time: 0.204s | source
Show context
ndiddy ◴[] No.43614890[source]
> The OpenSSH project is careful about not taking on unnecessary dependencies, but Debian was not as careful. That distribution patched sshd to link against libsystemd, which in turn linked against a variety of compression packages, including xz's liblzma. Debian's relaxing of sshd's dependency posture was a key enabler for the attack, as well as the reason its impact was limited to Debian-based systems such as Debian, Ubuntu, and Fedora, avoiding other distributions such as Arch, Gentoo, and NixOS.

Does Fedora use Debian's patch set for sshd, or a similar patch set that adds libsystemd?

Edit: It looks like Fedora wasn't affected because the backdoor triggered a valgrind test failure, so they shipped it with a flag that disabled the functionality that was backdoored. Seems like they lucked out. https://lists.fedoraproject.org/archives/list/devel@lists.fe...

replies(2): >>43615739 #>>43619696 #
1. ◴[] No.43615739[source]