Looks like someone managed to get a backdoor into ssh in Fedora and Debian testing. Patch systems ASAP.
Discussion
ouch!
Wow:
"That line is *not* in the upstream source of build-to-host, nor is
build-to-host used by xz in git. However, it is present in the tarballs
released upstream, except for the "source code" links, which I think github"
They pwned the release distribution; source in git is fine.
Nuts.
Can we stop making nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 happy please?
Wouldn’t happen in the BSDs 😏
Technically, the backdoor is in xz-utils, and affects sshd when it is linked into sshd at runtime, as happens in most Linux distributions. The backdoor could conceivably be designed to affect other programs in addition to sshd. (Of course, affecting sshd is bad enough).
It's a pretty sophisticated "supply chain" attack. Sadly, the upstream xz-utils project maintainer is either complicit or compromised.
nostr:note1mqvnsk7me3wt3xd2pqyu04chlvygdphkt5p8sm56wxa28agxtc5stt2l5q
lmao
Mans been busy, going to need to check their commit history...
According to this, it only made it to test systems?
The University of Minnesota did something similar as a PoC a few years ago with the kernel.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source