The Linux Lugcast Podcast @lemux.minnix.dev minnix @lemux.minnix.dev 5mo ago

The package xz has been backdoored

matrix.to You're invited to talk on Matrix

You're invited to talk on Matrix

From invidious matrix room:

*PSA: The xz package (used by SSHD) has been backdoored @room

The upstream release tarballs for xz version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

ArchLinux and most rolling release distro are affected. Debian Testing/Sid/Experimental are affected, Debian Stable ISN'T AFFECTED.

Short summary by the ArchLinux team: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Your distro should have a blog post/message to tell you what to do, either update (if they provide an updated version) or downgrade to a known-good version.

Analysis: https://www.openwall.com/lists/oss-security/2024/03/29/4

More Infos: https://archlinux.org/news/the-xz-package-has-been-backdoored/ https://lists.debian.org/debian-security-announce/2024/msg00057.html https://github.com/tukaani-project/xz/issues/92*

0 comments