216cdd3660... - 76.85 KB (768x1022) 216cdd3660adb5d04fcc712c86f6b8754e5c90dd2859067f257915e28a19836f.png

SSH backdoor in upstream xz/liblzma release tarballs!
https://www.openwall.com/lists/oss-security/2024/03/29/4

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

 

>>1288
site has been updated

 

>>1288
(x) that you are actually Mr. Freund

but the security vulnerability is real. its important to note that the specific repository affected for the ssh backdoor is actually UPSTREAM from the ssh package itself. The affected package is 5.6.0+ of https://packages.debian.org/sid/liblzma5 for debian, or xz-utils on ubuntu https://packages.ubuntu.com/search?keywords=xz-utils

The actual repository is currently private but is called xz. Details on the specifics of the backdoor are given at the provided link in OP. Make sure that the package is *downgraded* to a version prior to 5.6.0 or otherwise removed from the system.


[Return][Go to top] Catalog [Post a Reply]
Delete Post [ ]

- miyakestyle + vichan -

All trademarks, copyrights, comments, and images on this page are owned by and are the responsibility of their respective parties.