middle-aged multimedia queer
- she/her
- gretchenleigh.zone/
Gretchen
The PlayStation Experiment | Game Mag Print Ads | Rando Chrontendo
software engineer @ Internet Archive
anarcho-left
trans lesbian 🏳️🌈🏳️⚧️
You must log in to comment.
in reply to @0xabad1dea's post:
I can't understand either of these, but I have friends who use Linux. What is the simple warning I need to send to friends who use Linux?
If they're on a bleeding-edge OS with xz version 5.6.[0-1], their SSH is compromised. If they have the package from Macports, maybe not great (but it doesn't look like the malicious code fires off on Mac). What I've seen is Debian unstable, Redhat unstable, and Arch STABLE mostly got bit.
the malicious code only appears to be built on debian- and rpm-based distributions
Probably something like "Run xz --version; if that reports 5.6.0 or 5.6.1, downgrade to 5.4.5 using sudo apt install xz-utils=5.4.5", since the current belief is that 5.4.6 is not vulnerable to this exploit, based on https://xeiaso.net/notes/2024/xz-vuln/, and Debian changed to using 5.4.5, so that's likely the safest bet. (In fact, running sudo apt install --update xz-utils might automatically get xz-utils=5.6.1+really5.4.5-1, but I haven't tested this.)
(edit: changed 5.4.6 recommendation to 5.4.5, since that's what Debian has)
Thanks yall, I've passed the message along!