Spyke
tsonfeir
lemm.ee

Anyone got a link for this topic that isn’t a video?

32
BOFH666
lemmy.world

Thanks for the pointer.

This is really huge, but people don't quite understand that yet.

If this wasn't caught, every system -running public sshd- could be hacked or abused/misused.

And I completely agree with the last words, corporate should pay foss projects!

14
SMillerNLreply
lemmy.world

Even paid it might be hard to find maintainers with knowledge of the code

7
mudle
lemmy.ml

For all those wanting to know what version of the xz package you have, DO NOT use xz -V or xz --version. Ask your package manager instead; e.g. apt info xz-utils. Executing a potentially malicious binary IS NOT a good idea, so ask your package manager instead.

10
Goku
lemmy.world

So if I have been using arch with infected xz library to connect to a Debian LTS server, am I compromised?

5
TwiddleTwaddlereply
lemmy.blahaj.zone

From what I've read both arch and debian stable aren't vulnerable to this. It targeted mostly debian-testing.

6
Irate1013reply
lemmy.ml

Arch put out a statement saying users should update to a non infected binary even though it doesn’t appear to affect Arch https://archlinux.org/news/the-xz-package-has-been-backdoored/

However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.

3
Possibly linuxreply
lemmy.zip

I would pay attention to the news. You definitely want to upgrade immediately if you have not already

1

You reached the end

Unveiling the xz Utils Backdoor which deliberately opens our SSH connections for RCAs | Spyke