Peter Hosey

@boredzo

Also @boredzo@mastodon.social.

they/them
boredzo.org/

Breaker of binaries. Sweary but friendly. See also @TheMatrixDotGIF and @boredzo-kitchen-diary.

Mastodon

mastodon.social/@boredzo

Blog

boredzo.org/blog/

Peter Hosey @boredzo3/30/2024, 6:36 AM

abadidea @0xabad1dea

abadidea @0xabad1dea3/29/2024, 9:35 PM

🚨 critical warning: the xz upstream tarballs have been backdoored for one month. This is a five alarm fire for everyone who uses Linux.

post by person who found backdoor

summary of known information

#xz #linux #infosec #security

You must log in to comment.

in reply to @0xabad1dea's post:

Balloon Co [gaming division]@BalloonCo-gamingdivision3/29/2024, 10:00 PM

I can't understand either of these, but I have friends who use Linux. What is the simple warning I need to send to friends who use Linux?

@rotopenguin3/29/2024, 10:06 PM

If they're on a bleeding-edge OS with xz version 5.6.[0-1], their SSH is compromised. If they have the package from Macports, maybe not great (but it doesn't look like the malicious code fires off on Mac). What I've seen is Debian unstable, Redhat unstable, and Arch STABLE mostly got bit.

-3dB engineer @abby3/29/2024, 10:07 PM

the malicious code only appears to be built on debian- and rpm-based distributions

Nia @echo-parallax3/29/2024, 10:08 PM

Probably something like "Run xz --version; if that reports 5.6.0 or 5.6.1, downgrade to 5.4.5 using sudo apt install xz-utils=5.4.5", since the current belief is that 5.4.6 is not vulnerable to this exploit, based on https://xeiaso.net/notes/2024/xz-vuln/, and Debian changed to using 5.4.5, so that's likely the safest bet. (In fact, running sudo apt install --update xz-utils might automatically get xz-utils=5.6.1+really5.4.5-1, but I haven't tested this.)

(edit: changed 5.4.6 recommendation to 5.4.5, since that's what Debian has)

Balloon Co [gaming division]@BalloonCo-gamingdivision3/29/2024, 11:37 PM

Thanks yall, I've passed the message along!

Pinned Tags

coho film club