Supply chain vulnerability in SSH

[PigLover]

A very interesting supply chain vulnerability has been found in SSH. It’s been contained and would only affect users recent dev releases or distros that closely track upstream (e.g., Kali or Debian Sid).

I won’t repeat what’s already been written about it. Tom Lawrence has a really good treatment of it here along with links to source material.

 

[mobycl1ck]

Question:
Does a Docker image uses the system wide xz libs, or pulls a possible vulnerable version?

 

[MountainBofh]

If Docker is using a XZ version prior to 5.6, your fine. See the following for details. Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA

From what I've been reading, only extremely bleeding edge distro's are affected.

Debian 12 is using version 5.4.1. RHEL 9 variants are using version 5.2.5. Ubuntu 22.04 is using version 5.2.5.

 

[mobycl1ck]

If I get a lower version of xz from docker exec xz -V i'm good?

 

[MountainBofh]

As long as its not version 5.6 or newer, you're fine.

 

[Tech Junky]

As long as its not version 5.6 or newer, you're fine.

It was only in a couple of releases before it got pulled. I update my kernel weekly to avoid long term exposure to this sort of thing. Currently running 6.9.

 

[MountainBofh]

It was only in a couple of releases before it got pulled. I update my kernel weekly to avoid long term exposure to this sort of thing. Currently running 6.9.

Well updating the kernel wouldn't address this issue, as it wasn't a kernel compromise, but a support package for dealing with XZ compression format. Wikipedia has a pretty good write up about this compromise. XZ Utils - Wikipedia

While serious, the good news is that only a few bleeding edge distro's appear to be affected. Reference this link and only distro's using 5.6.0 or 5.6.1 are affected. xz package versions - Repology

 

[i386]

This explains Arch 2024.03.29 ._.