Atemu to Linux@lemmy.ml • 3 months agobackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.commessage-square100fedilinkarrow-up1528arrow-down15cross-posted to: opensource@lemmit.onlinenetsec@links.hackliberty.orglinux_gaming@lemmit.onlineselfhosted@lemmy.worldlinux@lemmy.worldnetsec@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.workssecurity@lemmy.ml
arrow-up1523arrow-down1external-linkbackdoor in upstream xz/liblzma leading to ssh server compromisewww.openwall.comAtemu to Linux@lemmy.ml • 3 months agomessage-square100fedilinkcross-posted to: opensource@lemmit.onlinenetsec@links.hackliberty.orglinux_gaming@lemmit.onlineselfhosted@lemmy.worldlinux@lemmy.worldnetsec@lemmy.worldprogramming@programming.devcybersecurity@sh.itjust.workssecurity@lemmy.ml
minus-square@SavvyBeardedFish@reddthat.comlinkfedilinkEnglish17•3 months agoArchlinux’s XZ was compromised as well. News post Git change for not using tarballs from source
minus-square@flying_sheep@lemmy.mllinkfedilink13•3 months agoNo, read the link you posted: Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command: ldd "$(command -v sshd)" However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way.
minus-square@progandy@feddit.delinkfedilink3•edit-23 months agoI think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems. https://www.openwall.com/lists/oss-security/2024/03/29/22
Archlinux’s XZ was compromised as well.
News post
Git change for not using tarballs from source
No, read the link you posted:
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
https://www.openwall.com/lists/oss-security/2024/03/29/22