Backdoor in upstream xz/liblzma leading to ssh server compromise

Moderator: Forum moderators

Post Reply
scsijon
Posts: 202
Joined: Fri Jul 24, 2020 10:11 am
Has thanked: 6 times
Been thanked: 18 times

Backdoor in upstream xz/liblzma leading to ssh server compromise

Post by scsijon »

https://www.openwall.com/lists/oss-secu ... 24/03/29/4
there's more around if you search
jon

scsijon
Posts: 202
Joined: Fri Jul 24, 2020 10:11 am
Has thanked: 6 times
Been thanked: 18 times

Re: URGENT: backdoor in upstream xz/liblzma leading to ssh server compromise

Post by scsijon »

further to this is apparently microsoft's reply to the problem was >

Date: Sat, 30 Mar 2024 15:11:47 -0500
From: Rob Landley <rob@landley.net>
To: toybox <toybox@lists.landley.net>
Subject: [Toybox] Microsoft github took down the xz repo.
Message-ID: <ab361ddc-3133-062e-3e43-6c5d6d8b397c@landley.net>
Content-Type: text/plain; charset=UTF-8

FYI, Microsoft Github disabled the xz repository because it became
"controversial" (I.E. there was an exploit in the news).

https://social.coop/@eb/112182149429056593

https://github.com/tukaani-project/xz

I'm assuming if toybox ever has a significant bug, microsoft would respond by
deleting the toybox repository. There's a reason that I have
https://landley.net/toybox/git on my website, and my send.sh script pushes to
that _before_ pushing to microsoft github.

Luckily the xz guys don't seem to trust microsoft github either, because the
upstream of the xz-embedded repo with the public domain code I cloned is:

https://git.tukaani.org/xz-embedded.git

Which is still available.

Rob

ozsouth
Posts: 1569
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 241 times
Been thanked: 704 times

Re: URGENT: backdoor in upstream xz/liblzma leading to ssh server compromise

Post by ozsouth »

Default puppies seem to be safe, as 5.6.0+ is not used there. xz versions used in recent puppies:

5.4.1 Bookwormpup64-10.0.6

5.4.1 Vanilladpup-10.0.47

5.2.4 Fossapup64-9.6-4CE

5.2.5 s15pup64-22.12-240223

Older default puppies unaffected. xz was not upgraded in any of my recent remasters. 'Latest is not always greatest'.

captainkennway
Posts: 10
Joined: Thu Mar 28, 2024 6:38 am
Has thanked: 15 times

Re: URGENT: backdoor in upstream xz/liblzma leading to ssh server compromise

Post by captainkennway »

I'm using jackal pup and there are liblzma 5.2.4 and xz-utilis 5.2.4 already installed in my package manager :roll:

Post Reply

Return to “Security/Privacy”