>>24718Newer versions of libsystemd don't use libxz anymore. This shows the devs are aware it is being used in security-sensitive contexts like sshd, but what they're doing amounts to polishing a turd. Libsystemd was never conceived to be used in that way.
The exploit was ultimately made possible by the actions of the major systemd distros. Despite the ubiquity of systemd, upstream openssh didn't deem it necessary to include the functionality for a good reason. As opposed to something like qmail, sshd is a single binary where a line of insecure code can compromise the whole program and all systemd related functionality was patched in by distro maintainers.
As far as i can see the dependency was added in 2022 to support the systemd notification protocol for socket activation:
>As of version 1:9.0p1-1ubuntu1 of openssh-server in Kinetic Kudu (Ubuntu 22.10), OpenSSH in Ubuntu is configured by default to use systemd socket activation. This means that sshd will not be started until an incoming connection request is received. This has been done to reduce the memory consumed by Ubuntu Server instances by default, which is of particular interest with Ubuntu running in VMs or LXD containers: by not running sshd when it is not used, we save at least 3MiB of memory in each instance, representing a savings of roughly 5% on an idle, pristine kinetic container.Imagine adding a kludgy inetd because your defaults suck and users can't or won't pass 'systemctl disable sshd' to the system. Leaving readily accessible ssh daemons on every ubuntu system is an just waiting for an exploit like this to happen and maim every inattentive sysadmin in the process.