Panik: your Debian stable system is so ancient it still contains the heartbleed bug.
Is linux 6.1 vulnerable to heartbleed? I’m on lmde6 with linux 6.1 btw) edit: as other comment said debian 12 is good so everything alright
I don’t think heartbleed is a kernel bug
Its a CPU bug only the kernel can fix 🤒. The kernel is responsible for its running hardware.Am I dumb? that’s the spectere and meltdown bug. xz-utils malware is a whole other thing, lol.
Heartbleed isn’t a hardware vulnerability either. It’s a bug in OpenSSL. Are you alright?
Clearly not, lol. Every vulnerability is spectere aparently. (To be fair, the other CVE this week is hardware based)
Heartbleed isn’t new either. It’s from years ago. It’s also unrelated to the xz backdoor. Maybe you should get some rest. Check your carbon monoxide alarms are working. If not see a doctor. It sounds like you are having memory issues.
The xz infiltration is a proof of concept.
Anyone who is comforted by the fact they’re not affected by a particular release is misguided. We just don’t yet know the ways in which we are thoroughly screwed.
Still paniking, cause the backdoor was apparently targetting Debian servers, it was discovered just by chance and the “mantainer” made commits for 2 years in the same repo
The fact that this was planned is what makes me nervous. Imagine what else is lurking.
and it was only discovered accidentally, when someone was profiling some stuff, noticed SSH using a bit too much CPU power when receiving connections even for invalid usernames/passwords, and spent the time to investigate it more deeply. A lot of developers aren’t that attentive, and it could have easily snuck through.
Your Debian stable system is so ancient you got bigger vulnerabilities to worry about: Panik!
Also the problem was that Debian’s sshd linked to liblzma for some systemd feature to work. This mod was done by Debian team.
Liblzma balls
But do it in private, don’t let my xz.
Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].
The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.
What do you mean bigger vulnerabilitirs to worry about in Debian stable?
Mostly a joke about him calling it “ancient”, but there may be some unpatched vulnerabilities in older software. Though there could also be some new ones in newest versions.
Still, unless it’s Alpha/Beta/RC, it’s probably better to keep it up-to-date.Debian patches security vulnerabilities in stable. They don’t change the version numbers or anything but they do fix security holes.
Debian responds to security issues in stable within a fairly short window. They have a dedicated security team.
