The officially official Devuan Forum!

You are not logged in.

#1 2024-09-04 10:36:57

Altoid
Member
Registered: 2017-05-07
Posts: 1,583  

[SOLVED] Devuan bug #858 - just a heads-up

Hello:

Just received this.

My box runs on Devuan Daedalus, upgraded yesterday to 6.1.106-3:

~$ uname -a
Linux devuan 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux
~$ 

I ran the test and it seems my system suffers from this bug*:
*?

~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
~$ uname -a

Like the subject reads, this is just a heads-up on my behalf.
I know zilch about all this ie: is it really a concern?
So I'll have to start reading up on it now, but not after I take my daily ration of espresso. 8^°

Opinions/suggestions on how to proceed from those who understand this better are welcome.
In any case, my workstation has no ssh access (port 22 closed), only the headless VM running PiHole+Unbound.

Thanks in advance,

A.

Last edited by Altoid (2024-09-04 11:10:00)

Offline

#2 2024-09-04 11:03:15

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 206  

Re: [SOLVED] Devuan bug #858 - just a heads-up

thanks for posting this! we'll keep watching for thread updates!


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#3 2024-09-04 11:38:59

Altoid
Member
Registered: 2017-05-07
Posts: 1,583  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Hello:

sg1 wrote:

thanks ...
... we'll keep watching ...

You're welcome.

Concurrently with the bug report to Devuan, this was posted to the [devuan-dev] list.
So I expect that comments/clarifications will get posted there first.

I wonder ...

Does this only affect Devuan? Debian is not affected?

Best,

A.

Last edited by Altoid (2024-09-04 11:39:49)

Offline

#4 2024-09-04 11:57:51

delgado
Member
Registered: 2022-07-14
Posts: 213  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Hi,

I'm confused about the ssh version. https://pkginfo.devuan.org/cgi-bin/poli … r&x=submit
Affected is version 6.7 or earlier, which would mean jessie (devuan 1 / debian 8) ?

Offline

#5 2024-09-04 12:11:56

Altoid
Member
Registered: 2017-05-07
Posts: 1,583  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Hello:

Delgado wrote:

Affected is version 6.7 or earlier ...

The article at arstechnica makes reference to an issue from ~15 years ago, (apparently) still unpatched.

If so, yes.
If it is from as far back as 2019, it would affect Devuan from Jesse onwards.

Best,

A.

Offline

#6 2024-09-04 14:10:50

golinux
Administrator
Registered: 2016-11-25
Posts: 3,334  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Resolved: https://lists.dyne.org/lurker/message/2 … e0.en.html

I think you have missed the point that all current Devuan releases ship more
recent versions of OpenSSH than required by this test (6.7 or earlier):

openssh    | 1:7.9p1-10+deb10u2 | oldoldstable           | source
openssh    | 1:7.9p1-10+deb10u2 | oldoldstable-debug     | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports       | source
openssh    | 1:8.4p1-2~bpo10+1  | buster-backports-debug | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable              | source
openssh    | 1:8.4p1-5+deb11u3  | oldstable-debug        | source
openssh    | 1:9.2p1-2+deb12u3  | stable                 | source
openssh    | 1:9.2p1-2+deb12u3  | stable-debug           | source
openssh    | 1:9.8p1-8          | testing                | source
openssh    | 1:9.8p1-8          | unstable               | source
openssh    | 1:9.8p1-8          | unstable-debug         | source

-G is now a legitimate ssh option (see ssh(1)).

We have reviewed the article you provided and can find no evidence of compromise
of Devuan installations. It is also worth noting that all of Devuan's openssh
packages come directly from Debian, so it would likely be Debian that was
compromised.

I will close this report now, but if you feel we have misunderstood you or
missed something, please feel free to reopen.

Best wishes

Mark

Tempest in a teapot . . .

Offline

#7 2024-09-04 15:45:27

blackhole
Member
Registered: 2020-03-16
Posts: 107  

Re: [SOLVED] Devuan bug #858 - just a heads-up

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

A very convoluted bit of hand holding just to see if a command supports a "-G" option...  the presence of a G option in no way conclusively proves malware is present...

FreeBSD ("G" clearly visible in the usage string) :

% ssh -G
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]
       ssh [-Q query_option]

So this seems like it was a faulty test for malware, which should have instead focused on a check for a specific version.

% ssh -V

Offline

#8 2024-09-04 17:20:11

golinux
Administrator
Registered: 2016-11-25
Posts: 3,334  

Re: [SOLVED] Devuan bug #858 - just a heads-up

@Altoid . . . A "bug report" is not necessarily a "bug". In the future before posting about a "bug" it might be a good idea to wait until it has been verified by the Devuan devs that it actually IS a bug. No need to spread unnecessary FUD on this forum . . . wink

Offline

#9 2024-09-05 01:02:40

Altoid
Member
Registered: 2017-05-07
Posts: 1,583  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Hello:

golinux wrote:

A "bug report" is not necessarily a "bug".

Indeed ...

I was citing a post at [devuan-dev] and thought it was something to be taken into account.
See: https://lists.dyne.org/lurker/message/2 … a8.en.html

But also this:

altoid wrote:

Like the subject reads, this is just a heads-up on my behalf.
I know zilch about all this ie: is it really a concern?
--- snip ---
Opinions/suggestions on how to proceed from those who understand this better are welcome.

I think my post is a very (very) long way from even the possibility of being characterised as the spreading of FUD.
Or anything of the sort.

Same for the OP at [devuan-dev] who clearly acted in good faith and did his research
I did not see his post characterised as FUD by anyone there.

Quite the contrary.

As for me, after over seven years and 1.527 posts at Dev1 ...
FUD?

Do lighten up. 8^P !!!

Best,

A.

Offline

#10 2024-09-05 01:09:40

ralph.ronnquist
Administrator
From: Battery Point, Tasmania, AUS
Registered: 2016-11-30
Posts: 1,259  

Re: [SOLVED] Devuan bug #858 - just a heads-up

It was FUD whether you accept it or not. Sometimes a couple of thoughts before typing can do wonders.

Offline

#11 2024-09-05 01:19:02

golinux
Administrator
Registered: 2016-11-25
Posts: 3,334  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Or putting it another way . . . there is no need to stir the pot if there is ultimately nothing there to stir.

Offline

#12 2024-09-05 06:34:24

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 206  

Re: [SOLVED] Devuan bug #858 - just a heads-up


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#13 2024-09-05 12:30:06

Altoid
Member
Registered: 2017-05-07
Posts: 1,583  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Hello:

ralph.ronnquist wrote:

... FUD whether you accept it or not.

In my opinion, the concept of FUD is to a great extent and to say the least, subjective.
ie: without a proper evaluation of intent, purpose and context labelling something as FUD can be quite difficult if not risky.

To wit:
Alter Kim's post at the [devuan-dev] list was thoughtfully replied to by Mark Hindley (arguably Devuan's most prominent member) with a follow up by member tempforever with the addition of more information.

In both instances without any mention of FUD spreading and such. ie: intent, purpose and context were evidently considered.

In a rather surprising follow up, my post here at Dev1 in which I cited the OPs post was met with a rather different demeanor, even after my posting a reply with an explanation of sorts.

@ralph.ronnquist
While I have the utmost respect for your knowledge and contrbution to the Dev1 project, I cannot but strongly disagree with your characterisation of my post as FUD.

So I'll leave this at that and (as far as I am concerned) agree to disagree, so to speak.

Best,

A.

Offline

#14 2024-09-05 13:52:54

golinux
Administrator
Registered: 2016-11-25
Posts: 3,334  

Re: [SOLVED] Devuan bug #858 - just a heads-up

Good grief . . . that is some rabbit hole!

Offline

Board footer