Re: [Hampshire] Security compromise in liblzma/OpenSSH daemo…

Top Page

Reply to this message
Author: James Dutton via Hampshire
Date:  
To: Hampshire LUG Discussion List
CC: James Dutton
Subject: Re: [Hampshire] Security compromise in liblzma/OpenSSH daemon
On Sat, 30 Mar 2024 at 08:43, Nick Chalk via Hampshire
<hampshire@???> wrote:
>
> In case anyone hasn't seen this...
>
> A security compromise has been discovered in
> liblzma, part of the XZ compression utilities.
> This can affect OpenSSH's sshd, due to integration
> with systemd.
>


I guess this is a reminder that every developer of every application
or lib that one installs from a Linux distro effectively has root
access to your system.
Maybe someone needs to write a tool that scans all .deb and .rpm
install bash scripts, and highlights any non-trivial ones.
It was the xz-utils install script that caused all the problems in this case.
For example, any .deb that installs any lib should only need a very
basic install script.
The install script for xz-utils should have been simple also, it
should only be dumping some files on your filesystem and that is it.
No other activity it needs to do.
Some install scripts are more complex, e.g. postgresql, that needs to
add postgresql user etc. and maybe auto update the database schema.

Kind Regards

James

--
Please post to: Hampshire@???
Manage subscription: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG website: http://www.hantslug.org.uk
--------------------------------------------------------------