- cross-posted to:
- security@lemmy.ml
- cross-posted to:
- security@lemmy.ml
The person who found the backdoor : https://mastodon.social/@AndresFreundTec/112180083704606941
ELI5 what does this mean for the average Linux user? I run a few Ubuntu 22.04 systems (yeah yeah, I know, canonical schmanonical) - but they aren’t bleeding edge, so they shouldn’t exhibit this vulnerability, right?
apt info xz-utils
Your version is old as balls. Even if you were on Mantic, it would still be old as balls.
Reading the comments here https://news.ycombinator.com/item?id=39865810 it appears that libarchive may be tainted as well.
t y for sharing.
#showerthoughts The problem is in upstream and has only entered Debian Sid/unstable. Does this mean that for example bleeding edge Arch (btw) sshd users are compromised already ?
Looks like the 5.6.1-2 release on Arch moved from using the published GitHub releases to just using the git repository directly, which as I understand avoids the exploit (because the obfuscated script to inject the exploit is only present in the packaged tarballs and not the git repo itself)
https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
Arch is on 5.6.1 as of now: https://archlinux.org/packages/core/x86_64/xz/
We at Nixpkgs have barely evaded having it go to a channel used by users and we don't seem to be affected by the backdoor.
Since you didn't build a RPM or DEB package however, your didn't compile in the backdoor.
Yeah, it's probably fine. I also don't use systemd. I was just pointing out that another rolling release distribution had the affected version.
Damn fine work all around.
I know this is an issue fraught with potential legal and political BS, and it's impossible to check everything without automation these days, but is there an organization that trains and pays people to work as security researchers or QA for open source projects?
Basically, a watchdog group that finds exploitable security vulnerabilities, and works with individuals or vendors to patch them? Maybe make it a publicly owned and operated group with mandatory reporting of some kind. An international project funded by multiple governments, where it's harder for a single point of influence to hide exploits, abuse secrets, or interfere with the researchers? They don't own or control any code, just find security issues and advise.
I don't know.
Just thinking that modern security is getting pretty complicated, with so many moving parts and all.
And you know what? Doing updates once a week saved me from updating to this version :)
It seems like a RCE, rather an auth bypass once though. https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
Is this only happened with SSH, or other network facing services using liblzma too?
We know that sshd is targeted but we don't know the full extent of the attack yet.