Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp972585lqb;
        Wed, 17 Apr 2024 17:12:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXTSaevCOvvqntSnowKBWy4uaq7PpntRjj7tC5utK74GwThEflTjY8hEStRZDVO4kO9zFbjVSeyY5/TF4lMRhRuVBHtLQZyKErNwIbw/g==
X-Google-Smtp-Source: AGHT+IE/jcctJfsN4qfLNJrlBVfchck0zH1sfRFMKyNTSpHpbEo+a+FiTOzY9aOpO29tVTn9Uems
X-Received: by 2002:a05:6808:f15:b0:3c6:382:126a with SMTP id m21-20020a0568080f1500b003c60382126amr1559550oiw.30.1713399123996;
        Wed, 17 Apr 2024 17:12:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713399123; cv=none;
        d=google.com; s=arc-20160816;
        b=EK4O2gvVMaGZ/IiByw2/V9mYilIsPjOBgmocFfeEI+9Na9JxLJQvFFwhXrUeblZuFR
         RXMOOxlhLXmUBbOYGzjl+dQs8P5F+ZAHSju+/9/TQ9ewGH/vw1azpWaVQQhmaHVlTD1b
         aTMjBA6dlrRP/vJsHv+dI3Oc1aRSi4BDTLa6olMNwt5bhiHwXLWcVsbXvNhx4FkxarAT
         HlFJVtvvcHzgyUY7I7QFRzflU3rjfF/m6j+rU4/JuwvSW0XpdIgmFP+BYI1LcgngKzOo
         2QETb3ldHDEeePEIrGW0M/xWYUqYiM/BCecL7yF/ekhPXsofjd/JhDCuDQKEHeOeBodK
         ZODQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:user-agent:message-id:references:in-reply-to:to:from:date
         :content-transfer-encoding:mime-version:dkim-signature
         :dkim-signature:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=iLC9M4GgWsWwwyVU6yajdIIngctp6WAU/Bln3LnZ8OY=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=gdhjEZ/eWhTf3h0Snuy/xnj9qhFM2PMZjrFKck/xqR2I9DuElnzKrn5LGRinJHB9TY
         9B7cAJHArDiu7WqaaG4UH2lGFF126xngQ+2Du+DiUFP08l+XKaAemcpz3F//LTfH5AGw
         74wELLcQOv/o3N0c7M3bSxmoRwjdTomSjWHFWjdsTVyzLyMwoYKjUdOke9W93oqoZ2lZ
         9RNVVfQ1P/aY0EYJKrpWdY8ia8q9ZhplvXk4E21ksW+UEpsM5KsKOu0UVNROEBBvqOnz
         UEooAsYelYT4zFjQXsStWQXr6P1iJf0cJ2yziAbj3LK5jqUmdfqqGoXX+MKEhlwsS653
         kMmQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ucc.asn.au header.s=ucc-2016-3 header.b=YGGGFLaW;
       dkim=pass header.i=@ucc.asn.au header.s=ucc-2016-3 header.b=YGGGFLaW;
       spf=pass (google.com: domain of oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucc.asn.au
Return-Path: <oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id d21-20020ac85ad5000000b004359c347edbsi352774qtd.144.2024.04.17.17.12.03
        for <linux.lists.archive@gmail.com>;
        Wed, 17 Apr 2024 17:12:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ucc.asn.au header.s=ucc-2016-3 header.b=YGGGFLaW;
       dkim=pass header.i=@ucc.asn.au header.s=ucc-2016-3 header.b=YGGGFLaW;
       spf=pass (google.com: domain of oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30048-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucc.asn.au
Received: (qmail 1167 invoked by uid 550); 18 Apr 2024 00:11:42 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Received: (qmail 1128 invoked from network); 18 Apr 2024 00:11:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucc.asn.au;
	s=ucc-2016-3; t=1713399084;
	bh=wR0NiR0bUP7YXsUYH5pfSLQMR3WAvCSzdLX3d2fHTag=;
	h=Date:From:To:Subject:In-Reply-To:References:From;
	b=YGGGFLaW3xp4V+FuGY2YuXKYJOpRzJDof4RDj5j4t8JAiUQs6WMhP/puZYaATmbbX
	 tra6KPAqH5smVRJY+qwl90iBgt1hIuYBu6pnqyr4pyr04EIFUo/bYYvgQu6Rr9IQJ6
	 gCKP83nVXUmD2iy3h7FUIxS4TZYJZHdqG96zAi6Y=
Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=ucc.asn.au
Authentication-Results: OpenDMARC; spf=pass smtp.mailfrom=ucc.asn.au
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucc.asn.au;
	s=ucc-2016-3; t=1713399084;
	bh=wR0NiR0bUP7YXsUYH5pfSLQMR3WAvCSzdLX3d2fHTag=;
	h=Date:From:To:Subject:In-Reply-To:References:From;
	b=YGGGFLaW3xp4V+FuGY2YuXKYJOpRzJDof4RDj5j4t8JAiUQs6WMhP/puZYaATmbbX
	 tra6KPAqH5smVRJY+qwl90iBgt1hIuYBu6pnqyr4pyr04EIFUo/bYYvgQu6Rr9IQJ6
	 gCKP83nVXUmD2iy3h7FUIxS4TZYJZHdqG96zAi6Y=
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 18 Apr 2024 08:11:24 +0800
From: Matt Johnston <matt@ucc.asn.au>
To: oss-security@lists.openwall.com
In-Reply-To: <661F3331.3020408@gmail.com>
References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de>
 <ed2715be-e7a0-4a7f-a3fd-7041f6c6fa49@fu-berlin.de>
 <Zgmn06K3C-nY83YH@codewreck.org> <20240331202502.GA21116@openwall.com>
 <20240416225900.GA23474@openwall.com> <661F3331.3020408@gmail.com>
Message-ID: <4eaf6a34fd8459284e1a6967c68db93f@ucc.asn.au>
X-Sender: matt@ucc.asn.au
User-Agent: Roundcube Webmail/1.3.17
Subject: Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh
 server compromise

On 2024-04-17 10:25 am, Jacob Bachmeyer wrote:

> see that particular slowdown?  (Not the backdoor initialization making
> sshd take longer to start up---a running sshd taking longer to reject
> a session for a nonexistent account, unless Andres Freund forgot to
> tell us that he was running sshd from inetd and thereby including sshd
> startup latency in his measurements.)

Recent OpenSSH always re-execs for each incoming connection (for fresh 
ASLR) so it's always similar to inetd startup.

Cheers,
Matt