Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
USE WINDOWS.
if this happened on windows probably no one would have noticed it until a large cyberattack happened, also, using that logic no one should be using CPU’s created after 1995 due to meltdown / spectre
Im not irritated, im saying that your logic is flawed, stop using some software piece due to a vulnerability is at least dumb, every software will have at least one, open source or not, we are humans, we commit errors, example: the SMB vulnerability that allowed the quick spread of WannaCry in 2017, and that was on Windows, and actually we are lucky that this happened on open source software and not in some big corporation privative software, if that was the case, we wouldnt be able to know about the backdoor until a large cyberattack happened
So far I was affected on termux. There is already package update.
Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.
The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.
I am looking at these gaggle of posts and all of lemmy is flooded with this and then think that there is an entire Spyware OS on the other side… Which who knows what code it runs and people are chill about it. I am so thankful for this community.
