this post was submitted on 29 Mar 2024
144 points (98.0% liked)

Programming

17309 readers
271 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] anzo 36 points 7 months ago (1 children)

A nice tl;dr was https://news.ycombinator.com/item?id=39866307

Copied here:

For those panicking, here are some key things to look for, based on the writeup:

  • A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you're not on a rolling release distro, your version is probably older.

  • A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.

  • Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.

Debian testing already has a version called '5.6.1+really5.4.5-1' that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.

It is possible there are other flaws or backdoors in liblzma5, though.

[–] [email protected] 14 points 7 months ago* (last edited 7 months ago) (1 children)

5.6.1+really5.4.1

Most sane Debian package management

[–] technom 1 points 7 months ago (1 children)

They really ought to have version masking like in Gentoo portage.

[–] [email protected] 1 points 7 months ago

Package management deserves more love on Debian, indeed. Yet they apparently have the largest collection of packages...