I’ve read this; openSUSE addresses supply chain attack against xz compression library - openSUSE News . This news told OpenSUSE Tumbleweed was affected by given security problem on March. So I asks: Should I reinstall my system? I do not known much about XZ problem, but If it only give access to system by SSH and do not use something like VPN/Stun server, then I think I am not affected. I do not have public IP after all.
You will need to make your own decision on that.
I did not reinstall. I just updated. My system is behind a NAT router, and I am not port-forwarding the SSH port (or any port). So the risk seemed low. Hmm, my ISP does not currently provide IPv6, so that cannot be used to access my system.
If I did have IPv6, I think I still would not reinstall. The risk seems small. There are so many possible IPv6 addresses, that it would take a long time for scanning them unless the attacker has other information.
Ok. IPv6 should eliminate NAT, because there would be big available address number. I heard, there are provided NAT, because ISP asks for it.
Anyway. How to check if my ISP provides IPv6 for me? How to check if my router uses it? Under connection properties (Plasma6), there is only DNS address for IPv6 and no other IPv6-related information.
That possibly indicates that you don’t have IPv6.
You could also check the output of “ip a”. When I do that, I do see an IPv6 address, but it starts with “fe80” which is just for the local lan and is not routed.
Thanks.
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 38:fc:98:85:ff:d9 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.137/24 brd 192.168.0.255 scope global dynamic noprefixroute wlp2s0
valid_lft 78499sec preferred_lft 78499sec
inet6 fe80::24b:5b9d:23bf:c0f2/64 scope link noprefixroute
valid_lft forever preferred_lft forever
I see, that I do not have IP6 address (probably). Inet6 is link-local, I think, but there is mismatch with MAC address. I must say, I do not known, how to create link-local (do not remember).
That looks okay. So there’s no good reason to reinstall.
Hi all,
I’ve been slacking on checking the forum and have today discovered the issue with xz etc.
I’ve not used SSH for a few months on this machine but I’m about to. I don’t think I have anything to worry about but I thought I’d check here first. I do not want to reinstall if at all possible.
Some output that might be useful:
zod:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether dc:fe:07:d6:c5:1b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.171/24 brd 192.168.0.255 scope global dynamic noprefixroute enp3s0
valid_lft 6282sec preferred_lft 6282sec
inet6 fe80::defe:7ff:fed6:c51b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 2a:5d:ce:d7:da:64 brd ff:ff:ff:ff:ff:ff permaddr d0:57:7b:cc:e3:ea
zod:~ # firewall-cmd --list-all
public (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
No output from the following: lsof -i -n | egrep 'ssh' / lsof -i -n | egrep 'sshd'
The detect.sh script said there “probably” isn’t a problem.
Because the SSH service hasn’t been running for months and I’m up to date on Tumbleweed, fingers crossed I’m OK to proceed.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.