Re: Uh-oh...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, Mar 30, 2024 at 3:01 PM Jonathan Billings <billings@xxxxxxxxxx> wrote:
> > On Mar 30, 2024, at 13:16, Patrick O'Callaghan <pocallaghan@xxxxxxxxx> wrote:
> >
> > On Sat, 2024-03-30 at 12:08 -0500, Dave Ihnat wrote:
> >> Didn't see this go by, but it looks hot enough to risk a repeat
> >> posting.
> >> From a friend:
> >>
> >>   It appears there's been a very serious effort to backdoor sshd on
> >>   Linux via the xz compression/decompression system.
> >>
> >>
> >>
> >>   If you have anything running very recent Linux, it's worth
> >> investigating
> >>   whether you're affected.
> >
> > AFAIK this only applies to Rawhide and the (as yet unreleased) F40,
> > both of which I assume will be patched ASAP.
> Thankfully, it looks like the version that was released in the Fedora 40 beta repos (v5.6.0) was compiled with a configure flag that prevented the backdoor from running, because the malicious code unintentionally caused Fedora’s QA process to reject the initial updated package (if I understand correctly). Upstream released a new version that allowed Fedora to build with the feature, it just didn’t make it in the beta freeze. Complete coincidence. Fedora has since reverted the xz packages to v5.4.6 in 40, so if you’re  running the beta, you can `dnf downgrade xz*’ to get the older version, if it doesn’t automatically downgrade.

The last untainted version of xz is circa 5.2. Starting around version
5.4, Jia Tan was making commits. And version 5.3 was a developer/debug
build, so you have to rewind a bit further to 5.2. Also see

The next problem free release with ABI and symbol compat should be
version 5.6.2 or above. I would tag it 5.7 or 6.0 since it is a major
milestone (with the mark being backdoor-free code). There's no telling
when Lasse releases that, however.

> We are pretty sure there are no other backdoors in xz or liblzma, but all the contributions by this author are getting heavy scrutiny. Some distros are even discussing reverting xz back until the version before the malicious co-maintainer joined the project, which will require significant effort.
> Major props to the Fedora team for handling this, and the security team at Red Hat who were involved with the discovery and investigation.  We should also all thank Andres Freund for his meticulous discovery of the backdoor, without which, we might have ended up with it he backdoor running in production for many distros.

Yeah, nice investigative work.

users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux