![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1222180 Bug ID: 1222180 Summary: openssh: rewrite systemd notification without linking systemd Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dmueller@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- openssh carries this patch: https://build.opensuse.org/projects/openSUSE:Factory/packages/openssh/files/... which is linking libsystemd, just for notifying systemd. given the large dependency tree of systemd, this increases the attack surface of openssh, as can be seen via https://www.suse.com/security/cve/CVE-2024-3094.html we should split out sd_notify() into a separate standalone library (or maybe it exists already?) and link that one instead -- You are receiving this mail because: You are on the CC list for the bug.