On Sat, Mar 30, 2024 at 3:01 PM Jonathan Billings <billi...@negate.org> wrote: > > > On Mar 30, 2024, at 13:16, Patrick O'Callaghan <pocallag...@gmail.com> > > wrote: > > > > On Sat, 2024-03-30 at 12:08 -0500, Dave Ihnat wrote: > >> Didn't see this go by, but it looks hot enough to risk a repeat > >> posting. > >> From a friend: > >> > >> It appears there's been a very serious effort to backdoor sshd on > >> Linux via the xz compression/decompression system. > >> > >> https://www.openwall.com/lists/oss-security/2024/03/29/4 > >> > >> If you have anything running very recent Linux, it's worth > >> investigating > >> whether you're affected. > > > > AFAIK this only applies to Rawhide and the (as yet unreleased) F40, > > both of which I assume will be patched ASAP. > > Thankfully, it looks like the version that was released in the Fedora 40 beta > repos (v5.6.0) was compiled with a configure flag that prevented the backdoor > from running, because the malicious code unintentionally caused Fedora’s QA > process to reject the initial updated package (if I understand correctly). > Upstream released a new version that allowed Fedora to build with the > feature, it just didn’t make it in the beta freeze. Complete coincidence. > Fedora has since reverted the xz packages to v5.4.6 in 40, so if you’re > running the beta, you can `dnf downgrade xz*’ to get the older version, if it > doesn’t automatically downgrade.
The last untainted version of xz is circa 5.2. Starting around version 5.4, Jia Tan was making commits. And version 5.3 was a developer/debug build, so you have to rewind a bit further to 5.2. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>. The next problem free release with ABI and symbol compat should be version 5.6.2 or above. I would tag it 5.7 or 6.0 since it is a major milestone (with the mark being backdoor-free code). There's no telling when Lasse releases that, however. > We are pretty sure there are no other backdoors in xz or liblzma, but all the > contributions by this author are getting heavy scrutiny. Some distros are > even discussing reverting xz back until the version before the malicious > co-maintainer joined the project, which will require significant effort. > > Major props to the Fedora team for handling this, and the security team at > Red Hat who were involved with the discovery and investigation. We should > also all thank Andres Freund for his meticulous discovery of the backdoor, > without which, we might have ended up with it he backdoor running in > production for many distros. Yeah, nice investigative work. Jeff -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
