F5F Stay Refreshed Software Operating Systems Vulnerability in upstream XZ and liblzma libraries causing SSH server exposure

Vulnerability in upstream XZ and liblzma libraries causing SSH server exposure

Vulnerability in upstream XZ and liblzma libraries causing SSH server exposure

Pages (3): Previous 1 2 3
P
Poketerp
Member
Find
132
05-14-2024, 07:42 PM
#21
I rely on Arch in production and provide SSH access for Git, which many others do too, including Arch itself. That suggests a less-than-ideal situation. Even without considering Arch, numerous developers deploy exposed services behind containers in production. In reality, I'd fit into both scenarios.
Reply
Reply
P
Poketerp
05-14-2024, 07:42 PM #21

I rely on Arch in production and provide SSH access for Git, which many others do too, including Arch itself. That suggests a less-than-ideal situation. Even without considering Arch, numerous developers deploy exposed services behind containers in production. In reality, I'd fit into both scenarios.

Reply
Reply
M
MasTerH200
Member
Find
211
05-15-2024, 03:29 AM
#22
They mentioned a phrase that might need adjusting. It seems better to say they shouldn't expect production servers running with exposed SSH ports. The main distros at risk included Debian Unstable, Fedora Rawhide, and OpenSUSE Tumbleweed—none of which are ideal for production use. Those systems with SSH and the affected versions? That’s understandable if the issue was caught quickly; otherwise, many servers would be impacted. Eventually, stable releases would replace these, but right now the scope of this problem is limited.
Reply
Reply
M
MasTerH200
05-15-2024, 03:29 AM #22

They mentioned a phrase that might need adjusting. It seems better to say they shouldn't expect production servers running with exposed SSH ports. The main distros at risk included Debian Unstable, Fedora Rawhide, and OpenSUSE Tumbleweed—none of which are ideal for production use. Those systems with SSH and the affected versions? That’s understandable if the issue was caught quickly; otherwise, many servers would be impacted. Eventually, stable releases would replace these, but right now the scope of this problem is limited.

Reply
Reply
R
RamSer_YT
Junior Member
Find
29
05-15-2024, 11:04 AM
#23
I understand your perspective. In this scenario, for it to be accepted in Arch would have required a stable release rather than a development build, and I recognize that Arch might have remained unaffected. The version xz-5.6.1 was labeled stable on March 9, 2024. SSH serves purposes beyond just remote shell access; it's used with tools like git or SFTP. Regarding the impact, I don't think it affected major production systems, but it highlights the need to reconsider assumptions about Arch/Rolling Releases not being suitable for production and keeping SSH exposed—especially since there are legitimate reasons for both.
Reply
Reply
R
RamSer_YT
05-15-2024, 11:04 AM #23

I understand your perspective. In this scenario, for it to be accepted in Arch would have required a stable release rather than a development build, and I recognize that Arch might have remained unaffected. The version xz-5.6.1 was labeled stable on March 9, 2024. SSH serves purposes beyond just remote shell access; it's used with tools like git or SFTP. Regarding the impact, I don't think it affected major production systems, but it highlights the need to reconsider assumptions about Arch/Rolling Releases not being suitable for production and keeping SSH exposed—especially since there are legitimate reasons for both.

Reply
Reply
D
Donix9000
Member
Find
54
05-15-2024, 12:20 PM
#24
I understand your perspective, though this conversation seems to veer into personal choices about server management. It brings us back to the earlier point about timing and impact. Arch remained unaffected by a small technical detail in the exploit, but over time it would matter more as more systems become involved.
Reply
Reply
D
Donix9000
05-15-2024, 12:20 PM #24

I understand your perspective, though this conversation seems to veer into personal choices about server management. It brings us back to the earlier point about timing and impact. Arch remained unaffected by a small technical detail in the exploit, but over time it would matter more as more systems become involved.

Reply
Reply
I
iLuvKlaus
Member
Find
68
05-16-2024, 08:00 AM
#25
Normal setups on standard download pages usually work fine, including Arch with ArchInstall. It’s frustrating when this doesn’t happen, especially since it affects Linux Minecraft and the overall experience. It makes it harder to distinguish between cutting-edge packages and others, which is a challenge for me. More effort needed.
Reply
Reply
I
iLuvKlaus
05-16-2024, 08:00 AM #25

Normal setups on standard download pages usually work fine, including Arch with ArchInstall. It’s frustrating when this doesn’t happen, especially since it affects Linux Minecraft and the overall experience. It makes it harder to distinguish between cutting-edge packages and others, which is a challenge for me. More effort needed.

Reply
Reply
Pages (3): Previous 1 2 3