| Walt Mankowski via plug on 29 Mar 2024 12:49:46 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] xz backdoor... check your boxes |
It also made its way into homebrew, but it's already been reverted: $ brew outdated xz (5.6.1) < 5.4.6 Ubuntu 23.10 is still on 5.4.1: % dpkg -l xz-utils Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-============-============-================================= ii xz-utils 5.4.1-0.2 amd64 XZ-format compression utilities On Fri, Mar 29, 2024 at 06:53:05PM +0000, Chad Waters via plug wrote: > Check your xz packages. Upstream 5.6.x contains malicious code. You should be reverting back to 5.4.x. Its made it way into some bleeding edge/development distros. > > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > It made its way into Debian Sid and Testing (and has been reverted). > https://tracker.debian.org/pkg/xz-utils > > -Chad > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug