TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    8 months ago

    This is the best summary I could come up with:


    Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

    An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work.

    So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time.

    In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

    “This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

    The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems.


    The original article contains 810 words, the summary contains 146 words. Saved 82%. I’m a bot and I’m open source!