Comments

LastoftheDinosaurs, 3 months ago to linux in How do you track security vulnerabilities?

Same here. Our servers are so out of date that we might not have a version of xz with any commits from Jia Tan at all.

LastoftheDinosaurs, 3 months ago to linux in How do you track security vulnerabilities?

I rely on notifications from glsa-check or my distro’s package manager. I was notified about a problem with xz-utils on Thursday evening, but didn’t see anyone post about it until Friday morning.

glsa-check is a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.

LastoftheDinosaurs, 3 months ago to linux in backdoor in upstream xz/liblzma leading to ssh server compromise

Yeah, it’s probably fine. I also don’t use systemd. I was just pointing out that another rolling release distribution had the affected version.

LastoftheDinosaurs, 3 months ago to linux in Your first distribution

Red Hat Linux 6.0, back in 1999. It was one of the first distributions to include GNOME as the default desktop environment.

LastoftheDinosaurs, 3 months ago to linux in backdoor in upstream xz/liblzma leading to ssh server compromise

It was also on Gentoo. I had this version installed for a day or two.