Re: xz backdoor
Russ Allbery <rra@debian.org> writes:
> Sirius <sirius@trudheim.com> writes:
>> This is quite actively discussed on Fedora lists.
>> https://www.openwall.com/lists/oss-security/2024/
>> https://www.openwall.com/lists/oss-security/2024/03/29/4
>> Worth taking a look if action need to be taken on Debian.
> The version of xz-utils was reverted to 5.4.5 in unstable yesterday by
> the security team and migrated to testing today. Anyone running an
> unstable or testing system should urgently upgrade.
I think the big open question we need to ask now is what exactly the
backdoor (or, rather, backdoors; we know there were at least two versions
over time) did. If they only target sshd, that's one thing, and we have a
bound on systems possibly affected. But liblzma is linked directly or
indirectly into all sorts of things such as, to give an obvious example,
apt-get. A lot of Debian developers use unstable or testing systems. If
the exploit was also exfiltrating key material, backdooring systems that
didn't use sshd, etc., we have a lot more cleanup to do.
I think this question can only be answered with reverse-engineering of the
backdoors, and I personally don't have the skills to do that.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: