12
The xz package (used by SSHD) has been backdoored (www.openwall.com)
submitted 2 months ago by c0mmando@links.hackliberty.org to c/netsec@links.hackliberty.org
0 comments fedilink hide all child comments

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected.

Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here
this post was submitted on 30 Mar 2024
12 points (100.0% liked)

Netsec

1 readers
139 users here now

netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere. ‎

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 1 year ago
MODERATORS
c0mmando@links.hackliberty.org