Incorrect: the backdoored version was originally discovered by a Debian sid user on their system, and it presumably worked. On arch it’s questionable since they don’t link sshd with liblzma (although some say some kind of a cross-contamination may be possible via a patch used to support some systemd thingy, and systemd uses liblzma). Also, probably the rolling opensuse, and mb Ubuntu. Also nixos-unstalbe, but it doesn’t pass the argv[0] requirements and also doesn’t link liblzma. Also, fedora.
Yes, but Arch, though it had the compromised package, it appears the package didn’t actually compromise Arch because of how both Arch and the attack were set up.
Incorrect: the backdoored version was originally discovered by a Debian sid user on their system, and it presumably worked. On arch it’s questionable since they don’t link
sshd
withliblzma
(although some say some kind of a cross-contamination may be possible via a patch used to support some systemd thingy, and systemd usesliblzma
). Also, probably the rolling opensuse, and mb Ubuntu. Also nixos-unstalbe, but it doesn’t pass theargv[0]
requirements and also doesn’t linkliblzma
. Also, fedora.Btw, https://security.archlinux.org/ASA-202403-1
Fedora and debian was affected in beta/dev branch only, unlike arch
Unlike arch that has no “stable”. Yap, sure; idk what it was supposed to mean, tho.
Yes, but Arch, though it had the compromised package, it appears the package didn’t actually compromise Arch because of how both Arch and the attack were set up.