• germanatlas@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    8
    ·
    4 months ago

    no real-world use found for staying more than one version behind

    The ssh vulnerability didn’t affect Debian because the packages were too many versions behind

    • azvasKvklenko@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      AFAIK, the xz vulnerability was designed for Debian based on its workaround fixing systemd service status detection. Even if it shipped to something like Arch, the malicious code wouldn’t load.

    • bisby@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Except this isn’t true at all.

      https://security-tracker.debian.org/tracker/CVE-2024-6387

      Regresshion impacted bookworm and trixie both. Buster was too old.

      With the downside of me doing an apt update and seeing that openssh-server was on 1:9.2p1-2+deb12u3 and I had no idea at a glance if this included the fix or not (qualys’s page states version 8.5p1-9.8p1 were vulnerable).

      If you are running debian bookworm or trixie, you absolutely should update your openssh-server package.

    • alienghic@slrpnk.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      27 days ago

      The xz/ssh back door made it into Debian testing, So I felt I should wipe and reinstall.

      Debian has had a rolling release for ages.

      • renzev@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        We’re on a meme page. There is little difference between sarcasm and being serious here. It doesn’t matter whether OP is being fully sarcastic or fully serious, people in the comments may hold the same opinion seriously, sarcastically, or with a mixture of both. The format is irrelevant