Atemu to Linux · 8 months agobackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comexternal-linkmessage-square100fedilinkarrow-up1528arrow-down15cross-posted to: selfhosted@lemmy.worldlinux@lemmy.worldnetsec@lemmy.worldprogramming@programming.devsaugumas@group.ltcybersecurity@sh.itjust.workshackernews@lemmy.smeargle.fanssecurity
arrow-up1523arrow-down1external-linkbackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comAtemu to Linux · 8 months agomessage-square100fedilinkcross-posted to: selfhosted@lemmy.worldlinux@lemmy.worldnetsec@lemmy.worldprogramming@programming.devsaugumas@group.ltcybersecurity@sh.itjust.workshackernews@lemmy.smeargle.fanssecurity
minus-squareAtemuOPlinkfedilinkarrow-up19·edit-28 months agoArch is on 5.6.1 as of now: https://archlinux.org/packages/core/x86_64/xz/ We at Nixpkgs have barely evaded having it go to a channel used by users and we don’t seem to be affected by the backdoor.
minus-squareStatic_Rocket@lemmy.worldlinkfedilinkEnglisharrow-up13·edit-28 months agoArch had a patch rolled out yesterday [1][2][3] that switches to the git repo. On top of that the logic in the runtime shim and build script modifier was orchestrated to target Debian and RPM build systems and environments [4]. [1] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad [2] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2 [3] https://security.archlinux.org/CVE-2024-3094 [4] https://www.openwall.com/lists/oss-security/2024/03/29/4
Arch is on 5.6.1 as of now: https://archlinux.org/packages/core/x86_64/xz/
We at Nixpkgs have barely evaded having it go to a channel used by users and we don’t seem to be affected by the backdoor.
Arch had a patch rolled out yesterday [1][2][3] that switches to the git repo. On top of that the logic in the runtime shim and build script modifier was orchestrated to target Debian and RPM build systems and environments [4].
[1] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385757abdc39d3cfea1c3e34ec09f637424ad
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2
[3] https://security.archlinux.org/CVE-2024-3094
[4] https://www.openwall.com/lists/oss-security/2024/03/29/4