Supply chain vulnerability in SSH

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

PigLover

Moderator
Jan 26, 2011
3,186
1,545
113
A very interesting supply chain vulnerability has been found in SSH. It’s been contained and would only affect users recent dev releases or distros that closely track upstream (e.g., Kali or Debian Sid).

I won’t repeat what’s already been written about it. Tom Lawrence has a really good treatment of it here along with links to source material.
 

mobycl1ck

Member
Feb 20, 2022
33
2
8
Question:
Does a Docker image uses the system wide xz libs, or pulls a possible vulnerable version?
 

MountainBofh

Member
Mar 9, 2024
97
86
18
It was only in a couple of releases before it got pulled. I update my kernel weekly to avoid long term exposure to this sort of thing. Currently running 6.9.
Well updating the kernel wouldn't address this issue, as it wasn't a kernel compromise, but a support package for dealing with XZ compression format. Wikipedia has a pretty good write up about this compromise. XZ Utils - Wikipedia

While serious, the good news is that only a few bleeding edge distro's appear to be affected. Reference this link and only distro's using 5.6.0 or 5.6.1 are affected. xz package versions - Repology
 
  • Like
Reactions: nexox