Path: ...!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail From: Marc Haber Newsgroups: comp.os.linux.misc Subject: Re: Malware find in the news: xz related. Date: Sun, 31 Mar 2024 22:12:24 +0200 Organization: private site, see http://www.zugschlus.de/ for details Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Injection-Date: Sun, 31 Mar 2024 20:12:24 -0000 (UTC) Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:81.169.166.32"; logging-data="3152490"; mail-complaints-to="abuse@tnib.de" X-Newsreader: Forte Agent 6.00/32.1186 Bytes: 2185 Lines: 27 Grant Taylor wrote: >On 3/31/24 11:13, David W. Hodgins wrote: >> sshd supports compression. xz is an option for how things are compressed. > >I've read multiple reports that OpenSSH upstream does not support xz >compression. > >Yes, OpenSSH does support multiple forms of compression, but xz is not >one of the form supported by upstream OpenSSH proper. > >xz support was brought in by things downstream. As far as I have understood this _very_ sophisticated method, ssh is patched by various distributions with a path endorsed by the portable openssh project to support sd_notify. This pulls in libsystemd, which in turn pulls in the trojaned liblzma, which in turn hooks an RSA function which is then used by the ssd to autenticate a user who tries to log in. For this to work, sshd does not need to use xz. Greetings Marc -- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402