https://www.openwall.com/lists/oss-secu ... 24/03/29/4
Seems it does not to affect Debian stable, but does affect testing / unstable.
"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."
From oss-security: backdoor in upstream xz/liblzma leading to ssh server compromise
Re: From oss-security: backdoor in upstream xz/liblzma leading to ssh server compromise
Hi, folks.
The writeup linked to, https://www.openwall.com/lists/oss-secu ... 24/03/29/4, has been submitted by the PostgreSQL developer, who detected the backdoor added to 64-bit versions of liblzma and who alerted not only Debian about it.
Here is the official Debian alert: [SECURITY] [DSA 5649-1] xz-utils security update
Trojanized versions are 5.5.1alpha-0.1 through to 5.6.1-1.
You may check the version on your systems by executing the command or
Karl
--
My MX-Linux 21.3 returns this by the way:
The writeup linked to, https://www.openwall.com/lists/oss-secu ... 24/03/29/4, has been submitted by the PostgreSQL developer, who detected the backdoor added to 64-bit versions of liblzma and who alerted not only Debian about it.
Here is the official Debian alert: [SECURITY] [DSA 5649-1] xz-utils security update
Trojanized versions are 5.5.1alpha-0.1 through to 5.6.1-1.
You may check the version on your systems by executing the command
Code: Select all
xz --versionCode: Select all
dpkg --list xz-utils liblzma5--
My MX-Linux 21.3 returns this by the way:
Code: Select all
$ xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1"I killed her in pure self-defense", said the bear after crushing the mouse. "She threatened my life."
The Prophet's Song
The Prophet's Song
Re: From oss-security: backdoor in upstream xz/liblzma leading to ssh server compromise
Interesting. I've just found this news on Discord
:(...) maintained by a malicious actor for the past 2+ years (...)
Re: From oss-security: backdoor in upstream xz/liblzma leading to ssh server compromise
Yup, apparently this was an active development of a backdoor. As Andres Freund (the unsung hero for cyber security of this case) writes in his analysis, the developer actively obfuscated the backdoor code. The xz github site got already taken down and apparently it's not possible to contact the dev at the moment for some reason...
MX 23's version 5.4.1 is safe and there was already an update for Arch which removed the malicious code from 5.6.1-2 onwards (5.6.1-1 and 5.6.0-1 are malicious). Rolling distros should all push out a update soon, since this issue got the highest possible CVE rating (10.0) and will be on literally everyone's table this weekend.
Since it specifially targets ssh logins you can check if your systems has an open ssh connection by trying to connect to the ssh server locally. In MX it's disabled by default.
MX 23's version 5.4.1 is safe and there was already an update for Arch which removed the malicious code from 5.6.1-2 onwards (5.6.1-1 and 5.6.0-1 are malicious). Rolling distros should all push out a update soon, since this issue got the highest possible CVE rating (10.0) and will be on literally everyone's table this weekend.
Since it specifially targets ssh logins you can check if your systems has an open ssh connection by trying to connect to the ssh server locally. In MX it's disabled by default.
Code: Select all
ssh localhostIf it ain't broke, don't fix it.
Main: MX 23 | Second: Mint 22 | HTPC: Linux Lite 7 | VM Machine: Debian 12 | Testrig: Arch/FreeBSD 14 | Work: RHEL 8
Main: MX 23 | Second: Mint 22 | HTPC: Linux Lite 7 | VM Machine: Debian 12 | Testrig: Arch/FreeBSD 14 | Work: RHEL 8