In my opinion, the concept of FUD is to a great extent and to say the least, subjective.
ie: without a proper evaluation of intent, purpose and context labelling something as FUD can be quite difficult if not risky.

To wit:
Alter Kim's post at the [devuan-dev] list was thoughtfully replied to by Mark Hindley (arguably Devuan's most prominent member) with a follow up by member tempforever with the addition of more information.

In both instances without any mention of FUD spreading and such. ie: intent, purpose and context were evidently considered.

In a rather surprising follow up, my post here at Dev1 in which I cited the OPs post was met with a rather different demeanor, even after my posting a reply with an explanation of sorts.

@ralph.ronnquist
While I have the utmost respect for your knowledge and contrbution to the Dev1 project, I cannot but strongly disagree with your characterisation of my post as FUD.

So I'll leave this at that and (as far as I am concerned) agree to disagree, so to speak.

Best,

A.

and a link from that wiki:
https://en.wikipedia.org/wiki/Eric_S._Raymond

which naturally reminded of:
https://dev1galaxy.org/viewtopic.php?id=2537

and a catchy tune(potential earworm?):
https://dev1galaxy.org/viewtopic.php?pid=14836#p14836

https://en.wikipedia.org/wiki/Earworm

enjoy

Indeed ...

I was citing a post at [devuan-dev] and thought it was something to be taken into account.
See: https://lists.dyne.org/lurker/message/2 … a8.en.html

But also this:

I think my post is a very (very) long way from even the possibility of being characterised as the spreading of FUD.
Or anything of the sort.

Same for the OP at [devuan-dev] who clearly acted in good faith and did his research
I did not see his post characterised as FUD by anyone there.

Quite the contrary.

As for me, after over seven years and 1.527 posts at Dev1 ...
FUD?

Do lighten up. 8^P !!!

Best,

A.

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

A very convoluted bit of hand holding just to see if a command supports a "-G" option...  the presence of a G option in no way conclusively proves malware is present...

FreeBSD ("G" clearly visible in the usage string) :

% ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]
       ssh [-Q query_option]

So this seems like it was a faulty test for malware, which should have instead focused on a check for a specific version.

% ssh -V

Tempest in a teapot . . .

The article at arstechnica makes reference to an issue from ~15 years ago, (apparently) still unpatched.

If so, yes.
If it is from as far back as 2019, it would affect Devuan from Jesse onwards.

Best,

A.

I'm confused about the ssh version. https://pkginfo.devuan.org/cgi-bin/poli … r&x=submit
Affected is version 6.7 or earlier, which would mean jessie (devuan 1 / debian 8) ?

You're welcome.

Concurrently with the bug report to Devuan, this was posted to the [devuan-dev] list.
So I expect that comments/clarifications will get posted there first.

I wonder ...

Does this only affect Devuan? Debian is not affected?

Best,

A.

Just received this.

My box runs on Devuan Daedalus, upgraded yesterday to 6.1.106-3:

~$ uname -a
Linux devuan 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux
~$ 

I ran the test and it seems my system suffers from this bug*:
*?

~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
~$ uname -a

Like the subject reads, this is just a heads-up on my behalf.
I know zilch about all this ie: is it really a concern?
So I'll have to start reading up on it now, but not after I take my daily ration of espresso. 8^°

Opinions/suggestions on how to proceed from those who understand this better are welcome.
In any case, my workstation has no ssh access (port 22 closed), only the headless VM running PiHole+Unbound.

Thanks in advance,

A.