Rich Mingin (PLUG) via plug on 29 Mar 2024 12:25:51 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] xz backdoor... check your boxes |
You are correct. I should have been more clear. Arch was "affected" in that they had backdoored binaries in the wild, but not "affected" in that the backdoored binaries weren't linked up to sshd and actively exploiting/exploited. https://security.archlinux.org/CVE-2024-3094 (just more info) On Fri, Mar 29, 2024 at 3:23 PM Jonathan Caicedo <jonathan@jcaicedo.com> wrote: > > Eh, I’m hearing otherwise - Arch Linux did use impacted tarballs, but `sshd` on Arch is NOT linked against `liblzma` - so Arch wasn’t impacted in the same way Debian Unstable/Fedora 40 and Rawhide were. > > See the comments here - https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2 > > With that said, like Rich said, in 5.6.1-2, Arch has moved to cloning via Git and not using `xz` tarballs directly, so things should be mitigated if the fallout of this backdoor is larger than just `sshd`. > > I’ll echo the commenters on the Arch bug report - “there seems to be no cause for panic on Arch” > > — Jonathan > > On Mar 29, 2024, at 15:16, Rich Mingin (PLUG) via plug <plug@lists.phillylinux.org> wrote: > > Arch Linux *was* affected, but has released an updated/fixed build. > Ensure any Arch-based distros have 5.6.1-2 or greater installed. > > On Fri, Mar 29, 2024 at 2:53 PM Chad Waters via plug > <plug@lists.phillylinux.org> wrote: > > > Check your xz packages. Upstream 5.6.x contains malicious code. You should be reverting back to 5.4.x. Its made it way into some bleeding edge/development distros. > > > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users > > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > It made its way into Debian Sid and Testing (and has been reverted). > > https://tracker.debian.org/pkg/xz-utils > > > -Chad > > ___________________________________________________________________________ > > Philadelphia Linux Users Group -- http://www.phillylinux.org > > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug