domi,
@domi@donotsta.re avatar

PSA: Backdoor in latest version of xz: https://openwall.com/lists/oss-security/2024/03/29/4

Downgrade if you’re running one of the latest xz versions, it has been compromised. If you’re using mainstream distros, you may be fine (as they lag with versions a bit behind master). If you’re running Alpine or any other non-gnu or non-systemd distro, you should be fine too (the exploit checks for GNU, and also probably won’t work with distro-unpatched sshd)

famfo,
@famfo@chaos.social avatar

@domi Alpine not being affected just made my weekend a lot more relaxed

And our main server being aarch64 also seems to help that

domi,
@domi@donotsta.re avatar

@famfo same here!

  • Alpine not affected because it’s not linux-gnu and lack of systemd
  • Ubuntu unaffected because they lag with versions
  • NixOS unaffected because argv[0] isn’t /usr/sbin/sshd
  • oldstable Debian unaffected because oldstable Debian
  • Arch likely unaffected because no rpm/deb
  • Fedora 39 unaffected because xz 5.4.4 (idk about FC40/41)

I didn’t know that when I was making the anouncement tho. I still think that it was a good call to tell people.

mei,
@mei@donotsta.re avatar

@domi it looks like Arch narrowly escaped being exploitable: https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/issues/2

domi,
@domi@donotsta.re avatar

@mei oh, that really narrows the window of distros that could actually be pwned. nice!

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • slotface
  • kavyap
  • thenastyranch
  • everett
  • tacticalgear
  • rosin
  • Durango
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • InstantRegret
  • Youngstown
  • khanakhh
  • ethstaker
  • JUstTest
  • ngwrru68w68
  • cisconetworking
  • modclub
  • tester
  • osvaldo12
  • cubers
  • GTA5RPClips
  • normalnudes
  • Leos
  • provamag3
  • anitta
  • megavids
  • lostlight
  • All magazines
    •