(Edge of CoHost) Snack Canary

@SnackCanary

Any Pronons Are Fine!

30-something
Black, andLikes Comics and junk.

(Edge of CoHost) Snack Canary @SnackCanary3/30/2024, 1:06 PM

⚡ Twilight Sparkle @twilight-sparkle

Nire Bryce @NireBryce3/29/2024, 5:44 PM

sound powered telephone whirr OpenSSH exploit made it to release in at least Debian, fedora unstable branches, maybe more. `xz` target

current fedora release may be hit too

hugops to every damage control party and home sysadmin with too many fedora and Debian based unstable/prerelease machines

(may effect more than that)

there's a script to detect it in the email thread

Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://www.openwall.com/lists/oss-security/2024/03/29/4

#openssh #ssh #CVE #computer security #infosec #sysadmin #self hosting #linux #debian #xz #fedora linux

K. Starling @kstarling3/29/2024, 8:02 PM

This package is part of the Arch Linux base system, so please treat ALL Arch-derived systems as compromised.

An update is already available from the primary Arch repository which removes the exploit, please upgrade ASAP.

#Arch Linux

⚡ Twilight Sparkle @twilight-sparkle3/30/2024, 11:35 AM

This page's posts are visible only to users who are logged in.

You must log in to comment.

in reply to @kstarling's post:

Nire Bryce @NireBryce3/29/2024, 10:59 PM

did it actually make it to release in arch yet

K. Starling @kstarling3/30/2024, 12:49 AM

It did, but they pushed a patch this morning to remove the malicious code, so everyone just needs to upgrade.

Nire Bryce @NireBryce3/30/2024, 1:02 AM

oh yikes

Pinned Tags