this post was submitted on 30 Mar 2024
986 points (98.7% liked)

linuxmemes

20484 readers
1231 users here now

I use Arch btw

Sister communities:

Community rules

  1. Follow the site-wide rules and code of conduct
  2. Be civil
  3. Post Linux-related content
  4. No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
986
Debian security amirite? (lemmy.world)
submitted 4 months ago by [email protected] to c/[email protected]
75 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 79 points 4 months ago (4 children)

Your Debian stable system is so ancient you got bigger vulnerabilities to worry about: Panik!

Also the problem was that Debian's sshd linked to liblzma for some systemd feature to work. This mod was done by Debian team.

[–] [email protected] 116 points 4 months ago (1 children)

Liblzma balls

[–] [email protected] 24 points 4 months ago

But do it in private, don't let my xz.

[–] [email protected] 35 points 4 months ago (1 children)

Even if you're using debian 12 bookworm and are fully up to date, you're still running [5.4.1].

The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it's users know perfectly well.

[–] [email protected] 2 points 4 months ago (3 children)

There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.

[–] [email protected] 5 points 4 months ago

They did but the malware wasn't fully implemented yet. They spent quite a while implementing it, I guess to try and make it less obvious.

[–] [email protected] 5 points 4 months ago

Distros like gentoo reverted to 5.4.2 for that reason. If debian stable is on 5.4.1 that should be ok.

[–] [email protected] 5 points 4 months ago

Needless to say all his work ever will already be being reviewed.

[–] [email protected] 29 points 4 months ago

The linked version in stable was not impacted.

[–] [email protected] 11 points 4 months ago (1 children)

What do you mean bigger vulnerabilitirs to worry about in Debian stable?

[–] [email protected] 8 points 4 months ago (2 children)

Mostly a joke about him calling it "ancient", but there may be some unpatched vulnerabilities in older software. Though there could also be some new ones in newest versions.
Still, unless it's Alpha/Beta/RC, it's probably better to keep it up-to-date.

[–] [email protected] 11 points 4 months ago

Debian patches security vulnerabilities in stable. They don’t change the version numbers or anything but they do fix security holes.

[–] possiblylinux127 10 points 4 months ago

Debian responds to security issues in stable within a fairly short window. They have a dedicated security team.