xz backdoored.
|
Also a topic in the Slackware forum, thanks for the links.
|
Sorry, I did not see that. I did look in the News forum.
|
Nothing to be sorry about!
That thread is Slackware specific, so another in Security for all comers seems fine. The more info the better! |
Arch, Manjaro, Debian SID, and other cutting edge distributions already have the fixed libraries.
It will be in the security and backport set of more conservative distributions shortly. |
Quote:
Quote:
|
I have been wondering why my debian-spawn raspberry pi had gone so loco, could this backdoor be the reason?
|
Looks like Debian reverted to an older version for now.
https://bugs.debian.org/cgi-bin/bugr...gi?bug=1068024 |
openSUSE response for Tumbleweed:
"For some regions, there is a long weekend ahead – so expect no / few
snapshots until early next week. For snapshot 0328, Ring0 has been completely bootstrapped (as the attack vectors for xz were not fully known, we went the safest route) and for 0329 all of Tumbleweed rebuilt against that new base; Ezpect that snapshot to appear ‘large’ (even though many packages will not be different). " - I am not an insider, but... Bootstrapping usually means to build everything from source. It can also mean to start "clean" or from "nothing". Clean and nothing would depend on the context. Ring 0 is, I assume, is a set of critical/basic software required to build the distribution and possibly installation media. I am aware of this list: https://build.opensuse.org/project/s...gs:0-Bootstrap - We also took advantage of this rebuild to remove all the Python3.9 modules. So don't be surprised by upgrades of thousands of packages, just upgrade and very importantly, reboot your system. - *only* x86_64 was affected. - Best WIshes |
The original author of XZ Utils (Lasse Collin, Larhzu) has posted an initial statement - there's not many details yet because they're still investigating. At time of writing it says:
Quote:
|
Here's a nice write-up... https://gist.github.com/thesamesam/2...e9ee78baad9e27
|
Interesting to note that if you pulled the GIT source instead of the tar file you would never see or use the infected code. Some distributions were immune because of that alone
. Interesting that if your distribution does not use the SYSTEMD init 0 that you are immune. Interesting that the ONLY reason the library was ever included in SSHD was as a kludge to support SYSTEMD! Interesting that desktop/client installations that do not run SSHD were immune. The entire purpose of the injection appears to have been to provide a back door on servers running SYSTEMD using SSHD for secure remote access. I am now having a longer and more thoughtful look at distributions that have never used SYSTEMD! |
Although only a server should need to have something like sshd active, over the years I have seen many times when linux newbs have been advised to setup sshd, "just because their system will be more secure".
When I was installing slackware lately, I saw that it would enable sshd as a system service by default, except I cleared the asterix for that. How many other distros might be enabling sshd by default? When you are looking for distros which do not use systemd, you should not count Slackware as one of them. Although there has been the discussion of how Slackware has not yet gone over to systemd - I just checked on my system, In fact systemd is already cooked into Slackware 15.0 - and systemd is running dbus, elogind, blueman, and emacs. For a few minutes I tried to disable it, or to rename it, to find some way for it not to load. No good, it is cooked into things so well I can not get rid of it. It appears slackware may be less than candid about it's involvement with systemd. So I can not trust it anymore. Quote:
|
Quote:
If you do not need it for now, disable it. '/etc/rc.d/rc.sshd stop' followed with 'chmod -x /etc/rc.d/rc.sshd' If you do need it and wants to remain somewhat safe on the net, then stay away from systemd distros. |
What a systemd free install returns in my Terminal
Code:
$ xz -V Not nervous here. |
All times are GMT -5. The time now is 08:16 PM. |