Jonathan Caicedo via plug on 29 Mar 2024 12:23:31 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] xz backdoor... check your boxes

Eh, I’m hearing otherwise - Arch Linux did use impacted tarballs, but `sshd` on Arch is NOT linked against `liblzma` - so Arch wasn’t impacted in the same way Debian Unstable/Fedora 40 and Rawhide were. 

See the comments here - https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2

With that said, like Rich said, in 5.6.1-2, Arch has moved to cloning via Git and not using `xz` tarballs directly, so things should be mitigated if the fallout of this backdoor is larger than just `sshd`. 

I’ll echo the commenters on the Arch bug report - “there seems to be no cause for panic on Arch”

— Jonathan

On Mar 29, 2024, at 15:16, Rich Mingin (PLUG) via plug <plug@lists.phillylinux.org> wrote:

Arch Linux *was* affected, but has released an updated/fixed build.
Ensure any Arch-based distros have 5.6.1-2 or greater installed.

On Fri, Mar 29, 2024 at 2:53 PM Chad Waters via plug
<plug@lists.phillylinux.org> wrote:

Check your xz packages. Upstream 5.6.x contains malicious code. You should be reverting back to 5.4.x. Its made it way into some bleeding edge/development distros.

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://www.openwall.com/lists/oss-security/2024/03/29/4

It made its way into Debian Sid and Testing (and has been reverted).
https://tracker.debian.org/pkg/xz-utils

-Chad
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug