General > Security & Bug Fixes

libxz backdoors in upstream versions

(1/1)

Şerban S.:
Thanks!
It's good to know people take it seriously.
Best regards!

trinidad:
https://discourse.ubuntu.com/t/noble-numbat-beta-delayed-xz-liblzma-security-update/43827
TC

Şerban S.:
Thanks for the warning!

This is what I got running the script:


--- Code: ---Checking system for CVE-2024-3094 Vulnerability...
https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Checking for function signature in liblzma...
Function signature in liblzma: OK

Checking xz version using dpkg package manager...
xz version 5.2.5-2ubuntu1: OK

--- End code ---

For now, it's OK, but trails might go on some time. Probably the best line of work here is to update any package as soon as it gets notified.
Some low-level backup, might also help. Just in case...

Best regards, Șerban.

trinidad:

--- Quote from: trinidad on April 01, 2024, 10:35:59 AM ---I heard about this last week but now the community has addressed the issue. Nothing I run was affected and Ubuntu and Debian both announced their Stable OS versions were not affected. Interesting article also listing distros affected at the link below.

https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/

The link below is to the guy who discovered the vulnerability. It also provides a vulnerability checking bash script which I ran on all my systems.

https://codenotary.com/blog/backdoor-in-upstream-xz

Just another reason why runnng Ubuntu LTS and/or Debian Stable is your best bet.TC

--- End quote ---

trinidad:
I heard about this last week but now the community has addressed the issue. Nothing I run was affected and Ubuntu and Debian both announced their Stable OS versions were not affected. Interesting article also listing distros affected at the link below.

https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/

The link below is to the guy who discovered the vulnerability. It also provides a vulnerability checking bash script which I ran on all my systems.

https://codenotary.com/blog/backdoor-in-upstream-xz
Just another reason why runnng Ubuntu LTS and/or Debian Stable is your best bet.TC

Navigation

[0] Message Index

Go to full version