Atemu@lemmy.ml to Linux@lemmy.ml · 9 months agobackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comexternal-linkmessage-square90fedilinkarrow-up12arrow-down10cross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
arrow-up12arrow-down1external-linkbackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comAtemu@lemmy.ml to Linux@lemmy.ml · 9 months agomessage-square90fedilinkcross-posted to: selfhosted@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.works
minus-squareSavvyBeardedFish@reddthat.comlinkfedilinkEnglisharrow-up0·9 months agoArchlinux’s XZ was compromised as well. News post Git change for not using tarballs from source
minus-squareprogandy@feddit.delinkfedilinkarrow-up0·edit-29 months agoI think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems. https://www.openwall.com/lists/oss-security/2024/03/29/22
minus-squareflying_sheep@lemmy.mllinkfedilinkarrow-up0·9 months agoNo, read the link you posted: Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command: ldd "$(command -v sshd)" However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way.
Archlinux’s XZ was compromised as well.
News post
Git change for not using tarballs from source
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
https://www.openwall.com/lists/oss-security/2024/03/29/22
No, read the link you posted: