> On Mar 30, 2024, at 13:16, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote: > > On Sat, 2024-03-30 at 12:08 -0500, Dave Ihnat wrote: >> Didn't see this go by, but it looks hot enough to risk a repeat >> posting. >> From a friend: >> >> It appears there's been a very serious effort to backdoor sshd on >> Linux via the xz compression/decompression system. >> >> https://www.openwall.com/lists/oss-security/2024/03/29/4 >> >> If you have anything running very recent Linux, it's worth >> investigating >> whether you're affected. > > AFAIK this only applies to Rawhide and the (as yet unreleased) F40, > both of which I assume will be patched ASAP. Thankfully, it looks like the version that was released in the Fedora 40 beta repos (v5.6.0) was compiled with a configure flag that prevented the backdoor from running, because the malicious code unintentionally caused Fedora’s QA process to reject the initial updated package (if I understand correctly). Upstream released a new version that allowed Fedora to build with the feature, it just didn’t make it in the beta freeze. Complete coincidence. Fedora has since reverted the xz packages to v5.4.6 in 40, so if you’re running the beta, you can `dnf downgrade xz*’ to get the older version, if it doesn’t automatically downgrade. We are pretty sure there are no other backdoors in xz or liblzma, but all the contributions by this author are getting heavy scrutiny. Some distros are even discussing reverting xz back until the version before the malicious co-maintainer joined the project, which will require significant effort. Major props to the Fedora team for handling this, and the security team at Red Hat who were involved with the discovery and investigation. We should also all thank Andres Freund for his meticulous discovery of the backdoor, without which, we might have ended up with it he backdoor running in production for many distros. -- Jonathan Billings -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
