this post was submitted on 30 Mar 2024
305 points (89.6% liked)
Memes
45727 readers
1025 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Arch isn't affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn't linked against liblzma (or something along those lines). And I hope that's true, because otherwise, I had a backdoor on a public system for over a month.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
And as https://www.openwall.com/lists/oss-security/2024/03/29/4 says:
"These conditions include targeting only x86-64 linux: [...] Building with gcc and the gnu linker [...] Running as part of a debian or RPM package build:"
I'm not an expert of course.
Holy shit that was a hell of a dive. And no wonder the dude got it working, he was just pounding those "test and translation" commits