Replying to Avatar openoms

Heads up if using the testing / unstable version of Debian, Ubuntu, NixOS or other Linux OS based on these, there is malicious code in the latest xz package: https://www.openwall.com/lists/oss-security/2024/03/29/4

>The malicious injection present in the xz versions 5.6.0 and 5.6.1

>Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.

Running stable versions are fine:

₿ xz --version

xz (XZ Utils) 5.4.1

liblzma 5.4.1

Avatar
fusion44 1y ago

Things will get more interesting as the author of the malicious code has even more suspicious PRs for libarchive:

https://github.com/libarchive/libarchive/pull/1609

He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.

nostr:nevent1qqszdksrjfmxvz0grk4g3jk9txeq8ngfklq788gwmzrtjh0ntv6knxsppemhxue69uhkummn9ekx7mp0qgs24sraj5yfee4d7z9ez4k58sdy4dv5ccfsklwtztkpnyqgckqe5tcrqsqqqqqp2zww3f

Reply to this note

Please Login to reply.

Discussion

No replies yet.