309
love is in the air?
(lemy.lol)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 30 Mar 2024
309 points (89.7% liked)
Memes
45660 readers
1727 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
Arch isn't affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn't linked against liblzma (or something along those lines). And I hope that's true, because otherwise, I had a backdoor on a public system for over a month.
Not directly, but it's loaded through libsystemd. It is there.
Edit: except on arch, if you use that. That doesn't use libsystemd
And the packages on most distros should be long updated by now.
Even Termux updated to
5.6.1+really5.4.5just 2 hours after Arch Linux.I just updated all packages in Termux actually lol
What package manager is that?
I think it's nala, which is a wrapper for (lib)apt
Nala, Termux is Debian based and its
pkgis basically apthttps://archlinux.org/news/the-xz-package-has-been-backdoored/
Yeah but the backdoor does not work on Arch (as far as we currently know). It relies on a linking of libraries that Arch doesnt do by default.
And as https://www.openwall.com/lists/oss-security/2024/03/29/4 says:
"These conditions include targeting only x86-64 linux: [...] Building with gcc and the gnu linker [...] Running as part of a debian or RPM package build:"
I'm not an expert of course.
Holy shit that was a hell of a dive. And no wonder the dude got it working, he was just pounding those "test and translation" commits