If you’re running version 5.6.0 or 5.6.1, downgrade immediately.

  • Faresh@lemmy.ml
    link
    fedilink
    English
    arrow-up
    23
    ·
    7 months ago

    Do not run xz --version. Instead check the version in your package manager.

  • henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    17
    ·
    7 months ago

    Wow! This was so close to perhaps being one of the worst security compromises in open source history.

    • CoolYori [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      12
      ·
      7 months ago

      For me I feel like we have not had any big security stuff since the whole log4j thing. While this seems bigger they have caught it relatively early. I feel like more people had to panic patch Minecraft servers with log4j.

      • yuli [she/her]@hexbear.net
        link
        fedilink
        English
        arrow-up
        7
        ·
        7 months ago

        maybe the libwebp vulnerability deserves a honorable mention, although i don’t think it has had as big an impact, it could’ve been way worse.

      • henfredemars@infosec.pub
        link
        fedilink
        English
        arrow-up
        6
        ·
        7 months ago

        My only reservation is that this compromised contributor has been working on the project for a few years. I hope that this is the end of the tunnel and there aren’t more issues to be uncovered with further analysis.

        • CoolYori [she/her]@hexbear.net
          link
          fedilink
          English
          arrow-up
          12
          ·
          7 months ago

          Its easy to spiral out of control thinking about how the practice that got us this backdoor is something that is used all over the open source community to build code. In the end we can only evaluate what is in front of us and pray the things lurking in the shadows are something we can deal with when they expose themselves.

    • hello_hello [comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      7 months ago

      The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.

      Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.

  • itappearsthat@hexbear.net
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    7 months ago

    How to check your version without running xz on nixOS, the official OS of trans people:

    ls -l $(which xz)
    

    I’m at 5.4.4 thankfully.

  • Saff@lemmy.ml
    link
    fedilink
    English
    arrow-up
    7
    ·
    7 months ago

    So I assume the malicious code is being removed and a version 5.6.2 without it will be released soon? Or is it more complex to solve and I’m being naive?

    • CoolYori [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      7 months ago

      So the backdoor was not in the source code but in the system used to build the code. Devs for a long time now have swapped over to an automated build system and what happened with this one is in the last step for the xz build process it adds the backdoor to it. You simply have to remove the references to the data in the build config.

      EDIT: Rewrote a sentence that sounded stupid

    • FriendBesto@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      7 months ago

      Something like that. It should be patched shortly. Thank god for smart people and autists.

      • Abracadaniel [he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        I’m no expert, but I’d assume the repository maintainers would pull the malicious packages ASAP. check to see if you have any updates available, if the malicious version is not available then you’re chilling squidward-chill

    • itappearsthat@hexbear.net
      link
      fedilink
      English
      arrow-up
      16
      ·
      7 months ago

      People aren’t 100% sure yet but preliminary analysis believes it is contained. Look forward to excrutiatingly-detailed levels of analysis to be published in the coming days and weeks, this is like every Foss Discourse topic tossed into a blender all at once.