MX Linux Forum

https://www.openwall.com/lists/oss-secu ... 24/03/29/4

Seems it does not to affect Debian stable, but does affect testing / unstable.

"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

Hi, folks.

The writeup linked to, https://www.openwall.com/lists/oss-secu ... 24/03/29/4, has been submitted by the PostgreSQL developer, who detected the backdoor added to 64-bit versions of liblzma and who alerted not only Debian about it.

Here is the official Debian alert: [SECURITY] [DSA 5649-1] xz-utils security update

Trojanized versions are 5.5.1alpha-0.1 through to 5.6.1-1.

You may check the version on your systems by executing the command or Karl
--
My MX-Linux 21.3 returns this by the way:

Interesting. I've just found this news on Discord

(...) maintained by a malicious actor for the past 2+ years (...)

:

Yup, apparently this was an active development of a backdoor. As Andres Freund (the unsung hero for cyber security of this case) writes in his analysis, the developer actively obfuscated the backdoor code. The xz github site got already taken down and apparently it's not possible to contact the dev at the moment for some reason...

MX 23's version 5.4.1 is safe and there was already an update for Arch which removed the malicious code from 5.6.1-2 onwards (5.6.1-1 and 5.6.0-1 are malicious). Rolling distros should all push out a update soon, since this issue got the highest possible CVE rating (10.0) and will be on literally everyone's table this weekend.

Since it specifially targets ssh logins you can check if your systems has an open ssh connection by trying to connect to the ssh server locally. In MX it's disabled by default.