I was also very surprised/confused by that. But searching salsa.debian.org for liblzma doesn't turn anything up. I'm not sure why that one isn't built from source. 🤔🤷♂️
The CVE mentions that part of the backdoor was not in the source code. That part was in release tarballs created by the attacker. https://tukaani.org/xz-backdoor/ I don’t get how this stuff gets included in Debian and Fedora. I guess they pull in tar balls too.
I was also very surprised/confused by that. But searching salsa.debian.org for liblzma doesn't turn anything up. I'm not sure why that one isn't built from source. 🤔🤷♂️
No replies yet.