- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
Related discussion:
https://news.ycombinator.com/item?id=39865810
https://news.ycombinator.com/item?id=39877267
Advisories:
I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.
What happens if development or build machines belong to people who control projects that you trust and have been compromised?
Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?
Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library – the malicious code never made it into git – used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd’s memory space. He’s trying to compromise unrelated software via elaborate supply chain attacks.