Article <uuccol$1qpft$4@dont-email.me>

Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <uuccol$1qpft$4@dont-email.me>

Deutsch English Français Italiano

<uuccol$1qpft$4@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Lew Pitcher <lew.pitcher@digitalfreehold.ca>
Newsgroups: comp.os.linux.misc
Subject: Re: Malware find in the news: xz related.
Date: Sun, 31 Mar 2024 19:15:34 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 46
Message-ID: <uuccol$1qpft$4@dont-email.me>
References: <uu7r9s$kh5b$2@dont-email.me> <uubp1i$1qg47$1@dont-email.me>
	<uuc1l6$lfl$1@tncsrv09.home.tnetconsulting.net>
	<op.2lh91erma3w0dxdave@hodgins.homeip.net> <uuc72o$1ts1m$1@dont-email.me>
	<op.2lihbgr3a3w0dxdave@hodgins.homeip.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 31 Mar 2024 19:15:34 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="ed41f3d6728541102659be294dee06a6";
	logging-data="1926653"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1+qvcEK2LghbOlJlWCWJM5CG8o17sJwjBk="
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
 git://git.gnome.org/pan2)
Cancel-Lock: sha1:5+1HHs76WuE566H/qaiz68nuuVY=
Bytes: 3127

On Sun, 31 Mar 2024 14:51:06 -0400, David W. Hodgins wrote:

> On Sun, 31 Mar 2024 13:38:32 -0400, Rich <rich@example.invalid> wrote:
> 
>> David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
>>> On Sun, 31 Mar 2024 12:05:58 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>>>
>>>> On 3/31/24 08:38, John McCue wrote:
>>>>> Thanks, here is another interesting link that describes how the issue
>>>>> occurred and indicates why *BSD and Distros like Slackware would not
>>>>> be vulnerable.
>>>>
>>>> My understanding is that effectively the differentiating factor of if a
>>>> distro is impacted or not is if it uses systemd or not.
>>>
>>> sshd supports compression. xz is an option for how things are compressed.
>>
>> ssh supports zlib compression.  It (ssh) does not offer lzma/xz as a
>> compression option.
>>
>> xz got pulled into ssh on systemd systems because systemd supports
>> using xz/lzma for journald compression, and it is therefore a
>> dependency of libsystemd.  Some distros patch sshd to link to
>> libsystemd so that their sshd can "notify" systemd that it is up via a
>> call to a libsystemd function.
> 
> Perhaps ssh is only impacted on systemd systems, but anything processing
> untrusted xz compressed files, such as clamav is still vulnerable, so the
> statement that only systems using systemd are vulnerable is not correct.
> 
> Any system using xz 5.6.0 or 5.6.1 is vulnerable.

In theory, yes. And, "its better to be safe than sorry"

But, from my (admittedly very limited) understanding of the backdoor (as
currently exposed), the bad code in xz specifically targets sshd, and (from
current indications) no other application.

Still, if I had one of the suspicious xz/liblzma packages installed, I'd
not hesitate to "nuke it from orbit" and replace it with a known-good version.

Again, "its better to be safe than sorry".

-- 
Lew Pitcher
"In Skills We Trust"