Vlákno názorů k článku
V balíčku xz-utils se objevil backdoor
od Baadvo - Už se začíná diskutovat o vrácení se k...
-
Už se začíná diskutovat o vrácení se k verzi předtím, než do xz začala přispívat Jia Tan.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
30. 3. 2024, 09:17 editováno autorem komentáře
-
V Gentoo už downgradováno.
enigma ~ # eix xz-utils
[I] app-arch/xz-utils
Available versions: 5.4.2 [M]5.4.6-r1 [M]5.6.1 [M]**9999*l {doc +extra-filters nls pgo static-libs verify-sig ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" CPU_FLAGS_ARM="crc32"}
Installed versions: 5.4.2(13:04:31 30.3.2024)(extra-filters nls -doc -pgo -static-libs -verify-sig ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32")
Homepage: https://tukaani.org/xz/
Description: Utils for managing LZMA compressed files
/var/db/repos/gentoo/profiles/package.mask
# Sam James <sam@gentoo.org> (2024-03-28)
# Newer releases were signed by a potentially compromised upstream maintainer.
# There is no evidence that these releases contain malicious code, but masked
# out of an abundance of caution. See bug #928134.
>=app-arch/xz-utils-5.4.3
# Sam James <sam@gentoo.org> (2024-03-28)
# Backdoor discovered in release tarballs. DOWNGRADE NOW.
# https://www.openwall.com/lists/oss-security/2024/03/29/4
# https://bugs.gentoo.org/928134
~app-arch/xz-utils-5.5.1_alpha
~app-arch/xz-utils-5.5.2_beta
~app-arch/xz-utils-5.6.0
~app-arch/xz-utils-5.6.1 -
Ale v Debianu už je revertováno od 28. 3. Trosku jsi zaspal:
xz-utils (5.6.1+really5.4.5-1) unstable; urgency=critical * Non-maintainer upload by the Security Team. * Revert back to the 5.4.5-0.2 version -- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 Mar 2024 15:59:38 +0100 xz-utils (5.6.1-1) unstable; urgency=medium * Non-maintainer upload. * Import 5.6.1 (Closes: #1067708). * Takeover maintenance of the package. -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Wed, 27 Mar 2024 22:53:21 +0100
