Re: [Hampshire] Security compromise in liblzma/OpenSSH daemo…

Top Page
Author: Brad Rogers via Hampshire
Date:  
To: Hampshire LUG List
CC: Brad Rogers
Subject: Re: [Hampshire] Security compromise in liblzma/OpenSSH daemon

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x583ce100.hantslug.org.uk.14648': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Mon Apr 1 14:42:07 2024 BST
gpg: using RSA key 9B00C02592448A31EF971B350F3EE001F02A3E20
gpg: Can't check signature: No public key
On Mon, 1 Apr 2024 14:21:02 +0100
James Dutton via Hampshire <hampshire@???> wrote:

Hello James,

>Maybe someone needs to write a tool that scans all .deb and .rpm
>install bash scripts, and highlights any non-trivial ones.


There's discussion of the issue on the Debian Developers ML. I read it,
but don't post;

a) not a developer (although it's not required to be one to post there)
b) much of the discussion is too technical for me to fully comprehend or
make useful contributions.

>The install script for xz-utils should have been simple also, it
>should only be dumping some files on your filesystem and that is it.
>No other activity it needs to do.


From what I've read, it's precisely this that triggered the
investigation; Person installing xz-utls notices a pause during the
process and investigated why. I'd have not noticed, I'm sure.

-- 
 Regards  _       "Valid sig separator is {dash}{dash}{space}"
         / )      "The blindingly obvious is never immediately apparent"
        / _)rad   "Is it only me that has a working delete key?"
It's becoming an obsession
Teenage Depression - Eddie & The Hot Rods

--
Please post to: Hampshire@???
Manage subscription: https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG website: http://www.hantslug.org.uk
--------------------------------------------------------------