The xz package (used by SSHD) has been backdoored

www.openwall.com

The xz package (used by SSHD) has been backdoored

www.openwall.com

@c0mmandoMA to

Netsec • 1 month ago

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected.

Debian Testing/Sid/Experimental are affected, Debian Stable ISN’T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92

You must log in or register to comment.

Chat

Netsec

!netsec@links.hackliberty.org

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !netsec@links.hackliberty.org

netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere. ‎

Rules

Don’t do unto others what you don’t want done unto you.
No Porn, Gore, or NSFW content. Instant Ban.
No Spamming, Trolling or Unsolicited Ads. Instant Ban.
Stay on topic in a community. Please reach out to an admin to create a new community.

11 users / day
1 user / week
54 users / month
673 users / 6 months
619 subscribers
266 Posts
132 Comments
Modlog

mods:
@c0mmando