/root

xz package backdoor!!!

Seems pretty serious! Update your systems now !!!

The vulnerability affects xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1).

Andres Freund noticed odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) and concluded that the xz package has been backdoored.

The backdoor is present in the tarballs released upstream and contains the following line (originally not present in the source code):

After the update:

Running ldd (shared libraries utility) to ensure no linkage between openssh and liblzma.

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://archlinux.org/news/the-xz-package-has-been-backdoored

https://security.archlinux.org/ASA-202403-1

chrislongros

, , , , ,

Leave a comment

Discover more from /root

Subscribe now to keep reading and get access to the full archive.

Continue reading