For Ubuntu releases, Package search shows latest versions used are 5.4.x.
Are all these releases compromised too?
Simply excluding this backdoor does not seem to be sufficient. The malicious actor has contributed over 750 commits to xz, all of which could contain further backdoors.
Downgrading to the last version without any contributions from the malicious actor is not possible either, because of new functionalities and other security issues that were fixed in the meantime. Uninstalling xz is also not possible, because half my system depends on it.
I guess it will take some time to sort all of that out. I am very impressed by the fast and coordinated response to this incident by the FOSS community.
This is just speculation, but I think this was a long planned attack. I think it’s unlikely any previous backdoors or significant security vulnerabilities would have been introduced, the goal was to establish themselves as a legitimate contributor and then sneak one critical backdoor in unnoticed. Sneaking in multiple vulnerabilities would have increased the risk of detection.
From what I understand they did cause a conflict with another package, and then used that to try to justify having the backdoored versions of the package fast tracked into upcoming Debian and fedora releases. But that would also suggest that their whole goal was shipping this one backdoor.
I am a brand new debian user, with debian running on two active laptops (mine and my daughter’s). Is this something I need to be concerned about and if so, what do I do?
Literally first week or two of use and still quite lost trying to get used to the massive difference from Windows.
If you’re on Debian stable, you don’t need to worry too much. This attack is actually targeted at Debian and Debian-based systems, but Debian is slow to update packages to make sure everything is stable. Thanks to this, Debian stable never updated with the infected package.
If you were on one of the Debian testing updates though your system is in danger. The other concern is that the bad user who pushed this backdoor has been providing code updates for two years. Seemingly these other updates were legitimate to get him in position to sneak in this backdoor, but there is a chance that he has already snuck in some other kind of backdoor that hasn’t yet been identified and that could be present on your system.
For the time being, you’re probably ok and we just need to wait to see if any other backdoors are found in the code.
Man, rolling release is great
I use Debian stable btw…
The downside to bleeding edge…
This backdoor has existed for the past 2 months. If anything, Arch was one of the first to roll out the fix.
