Replying to Avatar Matt Corallo

Looks like someone managed to get a backdoor into ssh in Fedora and Debian testing. Patch systems ASAP.

https://www.openwall.com/lists/oss-security/2024/03/29/4

Avatar
deleted 1y ago

Wow:

"That line is *not* in the upstream source of build-to-host, nor is

build-to-host used by xz in git. However, it is present in the tarballs

released upstream, except for the "source code" links, which I think github"

They pwned the release distribution; source in git is fine.

Nuts.

Reply to this note

Please Login to reply.

Discussion

Avatar
Matt Corallo 1y ago

Source in git has the malicious binary, though. A malicious committer did it, not just anyone.

Avatar
deleted 1y ago

Fascinated to behold. 🍿

Avatar
inventor 1y ago

the source apparently does include some code that the exploit needs for it to work