173
Backdoor in upstream xz/liblzma leading to ssh server compromise
(www.openwall.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 29 Mar 2024
173 points (98.3% liked)
Selfhosted
39677 readers
868 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 1 year ago
MODERATORS
I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.
What happens if development or build machines belong to people who control projects that you trust and have been compromised?
Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?
Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library -- the malicious code never made it into git -- used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd's memory space. He's trying to compromise unrelated software via elaborate supply chain attacks.