On 2024-03-30 07:08:45, Marc Culler wrote: > > Potentially, any tarfile we host may contain an exploit. > > Potentially, any file may contain an exploit. > > This hack specifically targeted ssh. When used by ssh to verify keys, the > hacked liblzma would validate certain invalid keys, allowing a "back door" > for a particular bad actor to login to the system.
The backdoor that was _found_ targeted SSH. The person who put it there had commit access to the project for a long time. I've seen many people assume that if they aren't running a patched sshd, then they're safe by downgrading to an earlier version free of the sshd hack. If your earlier version was maintained by the same malicious person, I wouldn't be so sure. This was a coordinated attack starting in 2021 or earlier. None of that invalidates your point of course: bundling (or not) is irrelevant if the person writing your code is untrusted. On the other hand, this wouldn't be "our code" if we didn't run our own distro. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/sage-devel/Zggi-KQ_gsPs4RTf%40stitch.
