morgant, 2 months ago @mattdm @passthejoe Why doesn't it inspire confidence? xz is not in the base #OpenBSD install, must be installed separately by users, and even then is not used by ssh under OpenBSD. Per https://www.openwall.com/lists/oss-security/2024/03/29/4: "openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma." #OpenBSD has no systemd either.
@mattdm @passthejoe Why doesn't it inspire confidence?
xz is not in the base #OpenBSD install, must be installed separately by users, and even then is not used by ssh under OpenBSD. Per https://www.openwall.com/lists/oss-security/2024/03/29/4:
"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."
#OpenBSD has no systemd either.