121

Hopefully this does not affect you but if you are running something like Arch, OpenSUSE tumbleweed, Debian sid or Fedora Rawhide and use SSH for remote access you should do a full wipe.

top 8 comments
sorted by: hot top controversial new old
[-] milicent_bystandr@lemm.ee 7 points 7 months ago

Wow, thank you for sharing this! Grumblegrumble have to reinstall my system...

This straight on the back of a thread about flatpak verification and security - a reminder that a lot of the incredible work of a distribution, especially Debian, is a community of people curating packages with care, and not just for how quick they can be made to work together.

Also a highlight for the work toward fully replicatable systems - if I understand right, the exploit here was snuck in in the binary, not in the source code.

[-] Nyfure@kbin.social 5 points 7 months ago

Well you only have to reinstall if you had affected versions installed.
For e.g. Debian stable, thats not the case. Or e.g. Arch sshd doesnt link to xz, so thats not a concern there.

Most systems wont be affected because their sshd doesnt link xz, didnt update to that version yet or simply isnt accessible from the outside.
Though it does show how vulnerable critical packages can be and how much better we need to protect them.

[-] SMillerNL@lemmy.world 1 points 7 months ago

No, it was snuck into the website download of the source code. If you got it from GitHub it was fine, if you got it from their website you got pwnd

[-] hydroptic@sopuli.xyz 3 points 7 months ago

That's not correct as far as I can tell. The backdoored code ended up in release tarballs (but not source tarballs because of autoconf fuckery), see eg. this mailing list discussion.

[-] SMillerNL@lemmy.world 2 points 7 months ago

Ah, you’re right. I wasn’t aware they had release tars on GitHub as well

[-] hydroptic@sopuli.xyz 7 points 7 months ago

HN comments have some more in-depth information about this https://news.ycombinator.com/item?id=39865810

[-] lauha@lemmy.one 1 points 7 months ago
[-] possiblylinux127@lemmy.zip 1 points 7 months ago

The good one I hope

this post was submitted on 30 Mar 2024
121 points (96.2% liked)

Sysadmin

7694 readers
326 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS