oss-sec mailing list archives
Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Andres Freund <andres () anarazel de>
Date: Fri, 29 Mar 2024 10:07:29 -0700
Hi Alex, (I was not subscribed to oss-security and not CCed, so I only got your email from the archive, not sure if I got the In-Reply-To etc right. Subscribed now.)
Thanks for writing this up. Just to make sure I understand the action item here: folks who are building their own xz, should switch to a release prior to 5.6.0, as those are the only ones known to be unaffected?
If you are building your own xz you might not be affected, due to either the debian/ directory needing to exist, or $RPM_ARCH needing to be set. Furthermore, if you build from git, rather than the distributed tarballs, the backdoor code won't be injected into the build, even if present in the repository. Similar if you build with cmake, I think. However, I personally would still downgrade, even if likely not affected due to the above. Greetings, Andres Freund
Current thread:
- backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Anthony Liguori (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Ivan Delalande (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
(Thread continues...)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)