technology

22835 readers

1 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

[email protected]

liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise via sshd and systemd (xeiaso.net)

submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

top 3 comments

sorted by: hot top controversial new old

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (1 children)

Debian security advisory - impacts Testing and Unstable. Stable unaffected. (Debian is upstream of A LOT of other distributions, such as Ubuntu)

Red Hat CVE - impacts Fedora 41 and Rawhide

Arch Linux announcement - Impacted, upgrade immediately

Gentoo bug - Package was in the Gentoo repository, masked by ~arch (unstable) keyword. Children who wildcard-unmask everything are impacted.

Surely there are more.

This is pretty bad.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

openSUSE - impacts Tumbleweed & MicroOS

NixOS - Unstable probably not affected?

[–] [email protected] 5 points 7 months ago

Perhaps worth mentioning: Some unknown person added malware to their tarball releases, specifically to backdoor ssh, which on most Linux distros was patched to load some systemd library, which in turn loads liblzma.