Linux Lite Forums

General => Security & Bug Fixes => Topic started by: trinidad on April 01, 2024, 10:35:59 AM

Title: libxz backdoors in upstream versions
Post by: trinidad on April 01, 2024, 10:35:59 AM: I heard about this last week but now the community has addressed the issue. Nothing I run was affected and Ubuntu and Debian both announced their Stable OS versions were not affected. Interesting article also listing distros affected at the link below.

https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/ (https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/)

The link below is to the guy who discovered the vulnerability. It also provides a vulnerability checking bash script which I ran on all my systems.

https://codenotary.com/blog/backdoor-in-upstream-xz (https://codenotary.com/blog/backdoor-in-upstream-xz)
Just another reason why runnng Ubuntu LTS and/or Debian Stable is your best bet.TC
Title: Re: libxz backdoors in upstream versions
Post by: trinidad on April 01, 2024, 10:37:19 AM: Quote from: trinidad on April 01, 2024, 10:35:59 AM
I heard about this last week but now the community has addressed the issue. Nothing I run was affected and Ubuntu and Debian both announced their Stable OS versions were not affected. Interesting article also listing distros affected at the link below.

https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/ (https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/)

The link below is to the guy who discovered the vulnerability. It also provides a vulnerability checking bash script which I ran on all my systems.

https://codenotary.com/blog/backdoor-in-upstream-xz (https://codenotary.com/blog/backdoor-in-upstream-xz)

Just another reason why runnng Ubuntu LTS and/or Debian Stable is your best bet.TC
Title: Re: libxz backdoors in upstream versions
Post by: Şerban S. on April 02, 2024, 07:19:55 AM: Thanks for the warning!

This is what I got running the script:

Code: [Select]
Checking system for CVE-2024-3094 Vulnerability... https://nvd.nist.gov/vuln/detail/CVE-2024-3094 Checking for function signature in liblzma... Function signature in liblzma: OK Checking xz version using dpkg package manager... xz version 5.2.5-2ubuntu1: OK
For now, it's OK, but trails might go on some time. Probably the best line of work here is to update any package as soon as it gets notified.
Some low-level backup, might also help. Just in case...

Best regards, Șerban.
Title: Re: libxz backdoors in upstream versions
Post by: trinidad on April 08, 2024, 09:05:00 AM: https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827 (https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827)
TC
Title: Re: libxz backdoors in upstream versions
Post by: Şerban S. on April 08, 2024, 09:15:31 AM: Thanks!
It's good to know people take it seriously.
Best regards!