OpenSSH 9.8 resolves critical rce vulnerability

Already included in nightlies. https://github.com/LibreELEC/LibreELEC.tv/pull/9048

We do consider security issues, and the probabilty of a meaningfull exploit in the wild through LE devices is low. The attacker needs to be in the same network and most LE boxes are hidden behind NAT/firewalls, and if the attacker is already in the local network the HTPC isn't the target of interest and you have bigger things to worry about. In the past I've added some LE devices to instrumented honeypot networks alongside some well prepared deception assets. Most attackers shy away from the devices because they don't fingerprint as something known and recognised. The subset who did try to compromise the LE device generally succeeded with a dictionary attack on the well-known default password not vulnerability exploits, and then they all tried to drop a comprise toolkit into the OS, which fails massively due to our non-standard distro packaging, and they quickly gave up and moved onto other more promising targets in the environment. Plus, even if we rush out a release and push the update to the small percentage of devices that would receive it, the other 90% of our rather sizeable userbase will remain on something older with even more vulnerabilities. In the grand scheme of things and compared to the shenanigans that I see in my DFIR day-job, this is nothing to lose sleep over.

It reminds me of this: https://www.reddit.com/r/ProgrammerHu…ferthanotheros/

Linux OSes are quite fragmented and hackers like to cast a large net by targeting the most common platforms. If you're using a debian derivative or a red hat distro with systemd, you're more likely to be targeted.