On Fri, Mar 29, 2024 at 10:43:35PM -0400, Richard Guy Briggs via sigs-l3go wrote: > On 24/03/29, Alex Pilon via sigs-l3go wrote: ... > > @bcrl, it was a Postgres developer who found out the bug while trying to > > quiesce a system. > > Thanks Alex. I'd seen this earlier today and thankfully so far, all > debian stable are not vulnerable, neither is fedora 40 beta or > earlier. No RHEL is vulnerable. Nasty indeed. There is one good thing about this: I discovered that Fedora / Red Hat / Rocky don't change the "Compression" default in sshd_config. I have now changed all my systems over to "Compression delay" so that if there are any further vulnerabilities in the compression code, that only authenticated users can do damage. -ben -- "Thought is the essence of where you are now." -- Manage your subscription: https://lists.linux-ottawa.org/sigs-l3go/listinfo.html