| Bug ID | 1222180 |
|---|---|
| Summary | openssh: rewrite systemd notification without linking systemd |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | dmueller@suse.com |
| QA Contact | qa-bugs@suse.de |
| Target Milestone | --- |
| Found By | --- |
| Blocker | --- |
openssh carries this patch: https://build.opensuse.org/projects/openSUSE:Factory/packages/openssh/files/openssh-7.7p1-systemd-notify.patch?expand=1 which is linking libsystemd, just for notifying systemd. given the large dependency tree of systemd, this increases the attack surface of openssh, as can be seen via https://www.suse.com/security/cve/CVE-2024-3094.html we should split out sd_notify() into a separate standalone library (or maybe it exists already?) and link that one instead