this post was submitted on 29 Mar 2024

8 points (100.0% liked)

The Linux Lugcast Podcast

171 readers

1 users here now

website: https://www.linuxlugcast.com/

mumble chat: lugcast.minnix.dev in the lugcast room

email: feedback@linuxlugcast.com

matrix room: https://matrix.to/#/#lugcast:minnix.dev

youtube: https://www.youtube.com/@thelinuxlugcast/videos

peertube: https://nightshift.minnix.dev/c/linux_lugcast/videos

founded 1 year ago

MODERATORS

minnix@lemux.minnix.dev

Honkeymagoo@lemux.minnix.dev

8

The package xz has been backdoored (matrix.to)

submitted 6 months ago by minnix@lemux.minnix.dev to c/linux_lugcast@lemux.minnix.dev

0 comments fedilink hide all child comments

From invidious matrix room:

*PSA: The xz package (used by SSHD) has been backdoored @room

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected. Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92*

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here