If you’re running version 5.6.0 or 5.6.1, downgrade immediately.
Do not run xz --version. Instead check the version in your package manager.
debian/ubuntu based distros:
apt show xz-utils
or
dpkg -l | grep xz
redhat/fedora-based:
yum info xz
dnf info xz
arch-based:
pacman -Qi xz
EDIT: correction as suggested below
Why is that? I know the latter gives you more info, but it’s still the same thing isn’t it?
Because you are running the affected software. It’s a bad idea to run something if we are aware that it contains or relies on malicious code.
Wow! This was so close to perhaps being one of the worst security compromises in open source history.
For me I feel like we have not had any big security stuff since the whole log4j thing. While this seems bigger they have caught it relatively early. I feel like more people had to panic patch Minecraft servers with log4j.
maybe the libwebp vulnerability deserves a honorable mention, although i don’t think it has had as big an impact, it could’ve been way worse.
My only reservation is that this compromised contributor has been working on the project for a few years. I hope that this is the end of the tunnel and there aren’t more issues to be uncovered with further analysis.
Its easy to spiral out of control thinking about how the practice that got us this backdoor is something that is used all over the open source community to build code. In the end we can only evaluate what is in front of us and pray the things lurking in the shadows are something we can deal with when they expose themselves.
Jokes on you; I haven’t run a system update since 2006
Mods should sticky this. This is the third post in this comm about the vulnerability.
The only people who will have this vulnerability AFAIK (and have it be actionable with the ssh backdoor) are folks running Debian unstable on a ssh server. The shitty part about this is a rupture in trust for the maintainers at xz.
Honestly, the attacker picked a really shitty time frame considering their payload isn’t in any important point releases where they could have the most effect.
How to check your version without running xz on nixOS, the official OS of trans people:
ls -l $(which xz)
I’m at 5.4.4 thankfully.
nixos doesn’t appear to be vulnerable in general, based on this thread
