Atemu@lemmy.ml to Linux@lemmy.ml · 2 years agobackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comexternal-linkmessage-square88fedilinkarrow-up12arrow-down10cross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
arrow-up12arrow-down1external-linkbackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comAtemu@lemmy.ml to Linux@lemmy.ml · 2 years agomessage-square88fedilinkcross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
minus-squareSavvyBeardedFish@reddthat.comlinkfedilinkEnglisharrow-up0·2 years agoArchlinux’s XZ was compromised as well. News post Git change for not using tarballs from source
minus-squareprogandy@feddit.delinkfedilinkarrow-up0·edit-22 years agoI think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems. https://www.openwall.com/lists/oss-security/2024/03/29/22
minus-squareflying_sheep@lemmy.mllinkfedilinkarrow-up0·2 years agoNo, read the link you posted: Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command: ldd "$(command -v sshd)" However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way.
Archlinux’s XZ was compromised as well.
News post
Git change for not using tarballs from source
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
https://www.openwall.com/lists/oss-security/2024/03/29/22
No, read the link you posted: