TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.
This was basically a lucky catch. Sadly makes you wonder how many backdoors like that have not been found (yet). Never the less the distro model of not feeding in upstream binaries directly is an important part of the multi-barrier security.
stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems.
Don’t tell me how to live my life, Ars Technica.
“stable” release of Arch?
They mean a variant you use in a stable, like to run an automatic feeder for horses. According to Ars Technica, however, you are not to use it in your production stable.
You should not run Arch in production. Boom, I said it
Well I don’t see any cops.
Hmmm. Are you white?
This is what I look like:
If I pray to you will I be able to get my printer to work?
There are some things that not even a god has the power to do.
For those on Android running Termux, it is also affected. Just checked my version of xz-utils and it was 5.6.1. Running “pkg upgrade” will roll back to version 5.4.5 (tagged as “5.6.1+really5.4.5” for both liblzma and xz-utils packages).
Makes you wonder why Termux ships the latest stuff. It might be smart to allow more time for critical problems to get caught.
Probably for the exact same reason this backdoor was introduced. Users complain about slow feature rollouts so (unpaid) devs (maintaining software in their spare time out of the kindness of their hearts) cut corners. In some situations that looks like bringing on a second maintainer without thorough vetting, in others it looks like importing upstream packages without thorough vetting.
Don’t blame the Termux devs here, blame the community that keeps pushing them to move faster.
So if I am seeing this I am good?
Yeah, that’s what mine “upgraded” to. All that update does is rollback to 5.4.5.
Just makes you wonder what else (if anything) is backdoored. I am seriously 🤏 this close to just switching all of my boxes over to OpenBSD.
The last time someone over there was approached about backdooring a related piece of software (which they refused), the OpenBSD devs manually screened the entire codebase, just in case something got in.
Really, the only things I’d miss would be Minecraft, KDE, and Mullvad Browser; and of course I’d have to buy a couple more WiFi dongles (or learn how to port drivers from Linux).
I honestly think BSD has the potential to be worse due lack of people. I think the best option is to not be paranoid as a user. If someone needs to be paranoid it is the maintainers.
I think the best option is to not be paranoid as a user.
Yeah, just never be a dissident, or a whistleblower, or an activist, or a member of a vulnerable marginalized group. Remember, if you obey there’s no reason to fear being spied on.
I really don’t think you understand how serious this kind of backdoor is. It puts certain people in real danger.
Meanwhile non SystemD systems like NetBSD FreeBSD OpenBSD are safer.
What does this have to do with systemd? Aren’t they safer in this situation because they aren’t using the beta xz release?
My systems running Debian stable with systemd also aren’t affected…
This particular backdoor affects sshd on systems that use libsystemd for logging.
your Debian system is probably not affected because Debian stable doesn’t update packages very quickly. You’re probably on an older release of the backdoored package.
You can have a nefarious developer working for a nation state infiltrate the supply chain for ANY OS.
You don’t know.
