discord: 0xfffe
elephant: https://hachyderm.io/@pastels
24.24.2.287


DecayWTF
@DecayWTF

Since it seems like there's been a lack - real or perceived - of simple information about the SSH compromise:

  • An important system library, xz, was hacked recently by one of the maintainers of said library.
  • The compromised code has been out in some form since February 24th.
  • Most Linux operating systems should be updated as soon as possible; if you know you haven't updated anything since before February 24th, don't until your distro says it's safe.
  • SteamOS is not affected.
  • MacOS is not directly affected, but the compromised library is in Homebrew so if you use that, you should update as well.
  • Windows is not affected, but Linux running in WSL can be so update that too.

If none of this is anything that means anything to you, you probably don't have anything to worry about.

Footnote: If you want to check if you have a crocked version of xz, run xz -V at the command-line. Versions 5.6.0 and 5.6.1 are the versions with the compromise.


ireneista
@ireneista

yes the simple information thing is important. thank you.


zumphry
@zumphry
This page's posts are visible only to users who are logged in.

You must log in to comment.

in reply to @DecayWTF's post:

Thanks for the quick info, and while I'm gonna go do my own research on this my first thought it: what does an admittedly fundamental compression library have to do with an SSL compromise?

Complex series of dependencies detailed in the CVE but the short version is that some distributions (Debian especially) build SSH to link against liblzma and the compromise appears to be targeted at that case. It seems like other distros are not really affected but the compromise is pretty deep and we still don't know if there's other activation vectors.

here’s the relevant part from the original report on openwall as sometimes the lack of formatting can make these big technical reports hard to parse:

openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

the top comment on the ars technica article about this is like “using systemd was not the problem you troglodytes they would’ve just compromised a different library”

Is there a spot where I can check to see if/ when it's okay to update Ubuntu or raspbian? Both the computers I have running those seem to be in the clear when I run the xz- V command, but I'm not sure where info would be published by either Ubuntu or whoever makes Raspbian to know when it's safe to update again?