Regresshion impacted bookworm and trixie both. Buster was too old.
With the downside of me doing an apt update and seeing that openssh-server was on 1:9.2p1-2+deb12u3 and I had no idea at a glance if this included the fix or not (qualys’s page states version 8.5p1-9.8p1 were vulnerable).
If you are running debian bookworm or trixie, you absolutely should update your openssh-server package.
AFAIK, the xz vulnerability was designed for Debian based on its workaround fixing systemd service status detection. Even if it shipped to something like Arch, the malicious code wouldn’t load.
The ssh vulnerability didn’t affect Debian because the packages were too many versions behind
Isn’t this meme format completely written in sarcasm?
Except this isn’t true at all.
https://security-tracker.debian.org/tracker/CVE-2024-6387
Regresshion impacted bookworm and trixie both. Buster was too old.
With the downside of me doing an apt update and seeing that openssh-server was on
1:9.2p1-2+deb12u3and I had no idea at a glance if this included the fix or not (qualys’s page states version 8.5p1-9.8p1 were vulnerable).If you are running debian bookworm or trixie, you absolutely should update your openssh-server package.
AFAIK, the xz vulnerability was designed for Debian based on its workaround fixing systemd service status detection. Even if it shipped to something like Arch, the malicious code wouldn’t load.
Security through Geriatricity