this post was submitted on 30 Mar 2024
12 points (100.0% liked)

Netsec

701 readers
1 users here now

netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise โ€” to provide value to security practitioners, students, researchers, and hackers everywhere. โ€Ž

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
[email protected]
12
The xz package (used by SSHD) has been backdoored (www.openwall.com)
submitted 7 months ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected.

Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here