Just for interest: about OpenSSH

Security
1

Hi all, Just posting this for general interest, seeing as IPFire uses OpenSSH (I think):
https://mybroadband.co.za/news/security/530843-a-superhero-hacker-saved-the-internet-this-weekend.html

1 Like
2

That is indeed interesting. I wonder how many times it happens over a given period, cause it does.

Lets face it, proper procedures covering “everything” is lacking, not always because of unawareness, but because of the financial impact having them.

Securing a product might cost more than developing it.

3

There is already a thread about this topic:

3 Likes
4

well I did not understand that thread… :stuck_out_tongue:

5

@arne_f My apologies, I did not realise that was about the same issue.

1 Like
6

IPFire is not affected by this attack.

  • stable verions (core184) not contain the backdoored liblzma
  • testing versions (core185) prior 2024-03-31 have the problematic liblzma but ssh not use it.

If you are on core185 from testing you should check the version of liblzma by “xz --version” and reinstall the update if it was 5.6.x

3 Likes
7

Mark, good article, human factor was the main culprit,

The main dev got bullied in to accepting someone unknown as a lead. :hot_face:

If I understood correctly

  • You need to be running a distro that uses glibc (for IFUNC)
  • You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.

This Gist was updated 27 min ago

I think I am ok right now,
My other debian machines are versions 5.2.5, but have to keep checking what other facts come out

#  xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5