• u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    95
    arrow-down
    16
    ·
    8 months ago

    Your Debian stable system is so ancient you got bigger vulnerabilities to worry about: Panik!

    Also the problem was that Debian’s sshd linked to liblzma for some systemd feature to work. This mod was done by Debian team.

    • Delilah (She/Her)@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      35
      ·
      8 months ago

      Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].

      The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.

      • piefedderatedd@piefed.social
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.

        • jabjoe
          link
          fedilink
          English
          arrow-up
          5
          ·
          8 months ago

          Needless to say all his work ever will already be being reviewed.

        • dan@upvote.au
          link
          fedilink
          arrow-up
          5
          ·
          8 months ago

          They did but the malware wasn’t fully implemented yet. They spent quite a while implementing it, I guess to try and make it less obvious.

      • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        4
        ·
        8 months ago

        Mostly a joke about him calling it “ancient”, but there may be some unpatched vulnerabilities in older software. Though there could also be some new ones in newest versions.
        Still, unless it’s Alpha/Beta/RC, it’s probably better to keep it up-to-date.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          10
          ·
          8 months ago

          Debian responds to security issues in stable within a fairly short window. They have a dedicated security team.