Re: Backdoor in xz 5.6.0
- In reply to: Alan Somers : "Backdoor in xz 5.6.0"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 30 Mar 2024 18:43:36 UTC
Hi all, regarding xz… have you seen this? https://github.com/libarchive/libarchive/pull/1609 regards On 3/30/24 00:47, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. > > summary: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ > details: https://www.openwall.com/lists/oss-security/2024/03/29/4 >