Classic Debian security management
Not Slackware since Slackware does not xz or many other utilities. Plus it does not use systemd. From what I remember a patch was put in to give systemd extra functionality and someone used that patch to sneak in the backdoor.
This wasn't exactly necessary since the protocol has been stable for external use for ages (since its inception IIRC) and is relatively trivial to implement.
Since the attack happened openssh gained native support for the sd-notify protocol, the sd-notify man page has an example implementation that is freely usable and libsystemd now only loads xz (and most of its other libraries) when explicitly requested by one of the tools via `dlopen`.
I worked at a company that got red teamed. The pen testers were inside the network and were only found by a random employee who happened to be running little snitch and got a weird pop-up
Nobody celebrated the fact that the intrusion was detected. It was pure luck, too late, and the entire infosec leadership was fired as a result.
Like this xv issue, none of the usual systems meant to detect this attack seemed to work, and it was only due to the diligence of a single person unrelated to the project was it not a complete show.
jqpabc123•1h ago
Who vets contributors, maintainers and submissions?
Answer: Unknown in many (if not most) cases. Unless you have the time and expertise to do so yourself; it is purely based on trust.
yjftsjthsd-h•1h ago
jqpabc123•19m ago
yjftsjthsd-h•4m ago
nwellnhof•46m ago
jqpabc123•11m ago
This ideal obviously did not happen here.
And there are no consequences for those who fail to do so.