Looks like there is no xz-utils in Arch, and it's not installed by default in Pop_OS, FWIW...
On Sat, Apr 6, 2024 at 2:24 PM Ted Mittelstaedt <t...@portlandia-it.com> wrote: > I also appreciate the heads-up on this as I literally do have better > things to do than spend an hour every day reviewing security exploit > mailing lists. 😉 > > Coming from a FreeBSD background this is why I have never liked the "yum > install" and apt-get" things that the Linux userbase take for granted. > Under FreeBSD you have ports and you install Unix software the way God > intended Unix software to be installed, "make install" > Then you actually get CHOICES on how to build. Why does xz need to run > the test sets anyway during building? How stupid! 90% of what it's being > built on ix s86 it's going to result in the same binary. > > Note that this has happened before: > > https://lwn.net/Articles/853717/ > > The most troubling aspect is that there's too little supervision of > changes in projects. > > Ted > > -----Original Message----- > From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of MC_Sequoia > Sent: Friday, April 5, 2024 3:21 PM > To: Portland Linux/Unix Group <plug@lists.pdxlinux.org> > Subject: Re: [PLUG] - attack on sshd via xz => More XZ Libs malware info > > Firstly, thank you for making me aware of this! > > "It also helps that it really only made it to the public through Debian > unstable and testing." > > According to this article, > https://thenewstack.io/malicious-code-in-linux-xz-libraries-endangers-ssh/, > xz is a "core Linux compression utility". I wasn't aware. > > So any unstable/testing distro is vulnerable. "Red Hat was first to break > the news of the boobytrap." > > Here's the pkg & version info for those who want to do a quick system > check. > > Package: xz-utils > Version: 5.6.1+really5.4.5-1 > > Refer to full Debian bug report => > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024&utm_source=the+new+stack&utm_medium=referral&utm_content=inline-mention&utm_campaign=tns+platform > > The most troubling aspect of this malware is this: > > "I count a minimum of 750 commits or contributions to xz by Jia Tan, who > backdoored it. > > This includes all 700 commits made after they merged a pull request in Jan > 2023, at which point they appear to have already had direct push access, > which would have also let them push commits with forged authors. Probably a > number of other commits before that point as well." > > So there might be more malware lurking and there might be more security > fallout. > > > > >
