mudle,
@mudle@lemmy.ml avatar

For all those wanting to know what version of the xz package you have, DO NOT use xz -V or xz --version. Ask your package manager instead; e.g. apt info xz-utils. Executing a potentially malicious binary IS NOT a good idea, so ask your package manager instead.

j4yt33,

I need the IASIP meme for this thumbnail

possiblylinux127,

That thumbnail is something else

youngGoku, (edited )

So if I have been using arch with infected xz library to connect to a Debian LTS server, am I compromised?

cybersandwich,

Assume yes until you can prove otherwise.

TwiddleTwaddle,

From what I’ve read both arch and debian stable aren’t vulnerable to this. It targeted mostly debian-testing.

rotopenguin,
@rotopenguin@infosec.pub avatar

As I heard it - the (naughty) build tooling looked for rpm and deb, and bailed out if they were absent.

Irate1013,

Arch put out a statement saying users should update to a non infected binary even though it doesn’t appear to affect Arch archlinux.org/…/the-xz-package-has-been-backdoore…

However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.

possiblylinux127,

I would pay attention to the news. You definitely want to upgrade immediately if you have not already

perishthethought,

Good explainer, if you need to catch up like I did:

en.m.wikipedia.org/wiki/XZ_Utils

Read the supply chain attack section.

Also, from the video…

X is losing its action! We LIKE!

Hell yeah we like.

tsonfeir,
@tsonfeir@lemm.ee avatar

Anyone got a link for this topic that isn’t a video?

BOFH666,

tukaani.org/xz-backdoor/

Check the links on that page.

BOFH666,

Thanks for the pointer.

This is really huge, but people don’t quite understand that yet.

If this wasn’t caught, every system -running public sshd- could be hacked or abused/misused.

And I completely agree with the last words, corporate should pay foss projects!

SMillerNL,

Even paid it might be hard to find maintainers with knowledge of the code

p03locke,
@p03locke@lemmy.dbzer0.com avatar
  • All
  • Subscribed
  • Moderated
  • Favorites
  • linux@lemmy.ml
  • fightinggames
  • All magazines