• fl42v@lemmy.ml
    link
    fedilink
    arrow-up
    115
    arrow-down
    1
    ·
    9 months ago

    Incorrect: the backdoored version was originally discovered by a Debian sid user on their system, and it presumably worked. On arch it’s questionable since they don’t link sshd with liblzma (although some say some kind of a cross-contamination may be possible via a patch used to support some systemd thingy, and systemd uses liblzma). Also, probably the rolling opensuse, and mb Ubuntu. Also nixos-unstalbe, but it doesn’t pass the argv[0] requirements and also doesn’t link liblzma. Also, fedora.

    Btw, https://security.archlinux.org/ASA-202403-1

    • SpaceCowboy@lemmy.ca
      link
      fedilink
      arrow-up
      19
      arrow-down
      2
      ·
      9 months ago

      Sid was that dickhead in Toystory that broke the toys.

      If you’re running debian sid and not expecting it to be a buggy insecure mess, then you’re doing debian wrong.

      • fl42v@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        Unlike arch that has no “stable”. Yap, sure; idk what it was supposed to mean, tho.

      • milicent_bystandr@lemm.ee
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        Yes, but Arch, though it had the compromised package, it appears the package didn’t actually compromise Arch because of how both Arch and the attack were set up.