Greetings,
I do not normally use mailing lists such as this one to inform subscribers of
security notices, but this issue is extreme enough where it may benefit the
anonymity of Tor users if relay operators are aware of it sooner.
The near-universally used 'xz' compression library has been found to contain a
backdoor in certain code branches. This backdoor has made it into some systems
such as Debian Sid.
Details regarding this backdoor are available here.
https://www.openwall.com/lists/oss-security/2024/03/29/4
It is suspected that if your OpenSSH server links to the xz library, which
Debian appears to do so, then this backdoor is remotely exploitable. If your
OpenSSH server does not link to this library, then your system still contains
many processes that run xz actions as the root user, some input of which may be
less than trusted.
For those needing a patch, I recommend you research your distribution's
security advisory page for further information.
References:
Debian Sid Advisory: https://security-tracker.debian.org/tracker/CVE-2024-3094
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
