ngn@lemy.lol to Memes@lemmy.mlEnglish · 9 months agolove is in the air?lemy.lolimagemessage-square52fedilinkarrow-up1348arrow-down140
arrow-up1308arrow-down1imagelove is in the air?lemy.lolngn@lemy.lol to Memes@lemmy.mlEnglish · 9 months agomessage-square52fedilink
minus-square30p87@feddit.delinkfedilinkarrow-up24arrow-down2·9 months agoArch isn’t affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn’t linked against liblzma (or something along those lines). And I hope that’s true, because otherwise, I had a backdoor on a public system for over a month.
minus-squarewildbus8979@sh.itjust.workslinkfedilinkarrow-up6arrow-down1·9 months agohttps://archlinux.org/news/the-xz-package-has-been-backdoored/
minus-square30p87@feddit.delinkfedilinkarrow-up7·9 months agoAnd as https://www.openwall.com/lists/oss-security/2024/03/29/4 says: “These conditions include targeting only x86-64 linux: […] Building with gcc and the gnu linker […] Running as part of a debian or RPM package build:” I’m not an expert of course.
minus-squarebrvslvrnst@lemmy.mllinkfedilinkarrow-up2·9 months agoHoly shit that was a hell of a dive. And no wonder the dude got it working, he was just pounding those “test and translation” commits
minus-squareHopFlop@discuss.tchncs.delinkfedilinkarrow-up8·9 months agoYeah but the backdoor does not work on Arch (as far as we currently know). It relies on a linking of libraries that Arch doesnt do by default.
minus-squareu/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.orglinkfedilinkEnglisharrow-up12·edit-29 months agoAnd the packages on most distros should be long updated by now. Even Termux updated to 5.6.1+really5.4.5 just 2 hours after Arch Linux.
minus-square30p87@feddit.delinkfedilinkarrow-up4·9 months agoI just updated all packages in Termux actually lol
minus-squareu/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.orglinkfedilinkEnglisharrow-up1·9 months agoWhat package manager is that?
minus-squarePantherina@feddit.delinkfedilinkarrow-up1·9 months agoNala, Termux is Debian based and its pkg is basically apt
minus-squarengn@lemy.lolOPlinkfedilinkEnglisharrow-up1·9 months agoI think it’s nala, which is a wrapper for (lib)apt
minus-squareReversalHatchery@beehaw.orglinkfedilinkEnglisharrow-up16·edit-29 months ago Also, sshd isn’t linked against liblzma Not directly, but it’s loaded through libsystemd. It is there. Edit: except on arch, if you use that. That doesn’t use libsystemd
Arch isn’t affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn’t linked against liblzma (or something along those lines). And I hope that’s true, because otherwise, I had a backdoor on a public system for over a month.
https://archlinux.org/news/the-xz-package-has-been-backdoored/
And as https://www.openwall.com/lists/oss-security/2024/03/29/4 says:
“These conditions include targeting only x86-64 linux: […] Building with gcc and the gnu linker […] Running as part of a debian or RPM package build:”
I’m not an expert of course.
Holy shit that was a hell of a dive. And no wonder the dude got it working, he was just pounding those “test and translation” commits
Yeah but the backdoor does not work on Arch (as far as we currently know). It relies on a linking of libraries that Arch doesnt do by default.
And the packages on most distros should be long updated by now.
Even Termux updated to
5.6.1+really5.4.5
just 2 hours after Arch Linux.I just updated all packages in Termux actually lol
What package manager is that?
Nala, Termux is Debian based and its
pkg
is basically aptI think it’s nala, which is a wrapper for (lib)apt
Not directly, but it’s loaded through libsystemd. It is there.
Edit: except on arch, if you use that. That doesn’t use libsystemd