Nostr Web Client

Heads up if using the testing / unstable version of Debian, Ubuntu, NixOS or other Linux OS based on these, there is malicious code in the latest xz package: https://www.openwall.com/lists/oss-security/2024/03/29/4

>The malicious injection present in the xz versions 5.6.0 and 5.6.1

>Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.

Running stable versions are fine:

₿ xz --version

xz (XZ Utils) 5.4.1

liblzma 5.4.1

Please Login to reply.

h/t for the early warning nostr:npub1fusn44jf2h4zc7pal32a87qzhu2ruf49kd4vaws97d02jddnhs6s98gatx

All thanks should go to nostr:npub1rj2vpdz9wlklg9gf63e6jtvl0d4uqn36uplhqhnsns5envwnup6q3xag4u, got it from him

Appreciate the info about the versions impacted

Make sure to check on your Mac-s as well, the xz package is downgraded to xz 5.4.6 from 5.6.1 with the last brew upgrade.

nostr:note1ymdq8ynkvcy7s8d23r9v2kdjq0xsnd7puwwsakyxh9wlxke4dxdqwsah82

Here is how you can check if you're running the affected version:

xz --version

Things will get more interesting as the author of the malicious code has even more suspicious PRs for libarchive:

He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.