Atemu@lemmy.ml to Linux@lemmy.ml · 9 months agobackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comexternal-linkmessage-square90fedilinkarrow-up12arrow-down10cross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
arrow-up12arrow-down1external-linkbackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comAtemu@lemmy.ml to Linux@lemmy.ml · 9 months agomessage-square90fedilinkcross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
minus-squareflying_sheep@lemmy.mllinkfedilinkarrow-up0·9 months agoBackdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won’t change anything for Arch users today.
minus-squareSavvyBeardedFish@reddthat.comlinkfedilinkEnglisharrow-up0·9 months agoArchlinux’s XZ was compromised as well. News post Git change for not using tarballs from source
minus-squareprogandy@feddit.delinkfedilinkarrow-up0·edit-29 months agoI think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems. https://www.openwall.com/lists/oss-security/2024/03/29/22
minus-squareflying_sheep@lemmy.mllinkfedilinkarrow-up0·9 months agoNo, read the link you posted: Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command: ldd "$(command -v sshd)" However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way.
minus-squarecorsicanguppy@lemmy.calinkfedilinkarrow-up0·9 months ago when building RPM or DEB. Which ones? Everything I run seems to be clear. https://access.redhat.com/security/cve/CVE-2024-3094 Products / Services Components State Enterprise Linux 6 xz Not affected Enterprise Linux 7 xz Not affected Enterprise Linux 8 xz Not affected Enterprise Linux 9 xz Not affected (and thus all the bug-for-bug clones)
minus-squareprogandy@feddit.delinkfedilinkarrow-up0·9 months agoThose getting the most recent software versions, so nothing that should be running in a server.
minus-squareLaser@feddit.delinkfedilinkarrow-up0·9 months agoFedora 41, Fedora Rawhide, Debian Sid are the currently known affected ones AFAIK.
Backdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won’t change anything for Arch users today.
Archlinux’s XZ was compromised as well.
News post
Git change for not using tarballs from source
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
https://www.openwall.com/lists/oss-security/2024/03/29/22
No, read the link you posted:
Which ones? Everything I run seems to be clear.
https://access.redhat.com/security/cve/CVE-2024-3094
(and thus all the bug-for-bug clones)
Those getting the most recent software versions, so nothing that should be running in a server.
Fedora 41, Fedora Rawhide, Debian Sid are the currently known affected ones AFAIK.