A Federation
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
qwioeue@lemmy.world to linuxmemes@lemmy.world · 7 months ago

Arch with XZ

lemmy.world

message-square
93
fedilink
473

Arch with XZ

lemmy.world

qwioeue@lemmy.world to linuxmemes@lemmy.world · 7 months ago
message-square
93
fedilink
  • observantTrapezium@lemmy.ca
    link
    fedilink
    arrow-up
    91
    arrow-down
    3    ·
    7 months ago

    Arch does not directly link openssh to liblzma, and thus this attack vector is not possible.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5      ·
      7 months ago

      It is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously

      • DefederateLemmyMl@feddit.nl
        link
        fedilink
        English
        arrow-up
        2        ·
        7 months ago

        In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.

        See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.

        So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1          ·
          7 months ago

          I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe

linuxmemes@lemmy.world

linuxmemes@lemmy.world

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !linuxmemes@lemmy.world

Hint: :q!

Sister communities:
  • LemmyMemes: Memes
  • LemmyShitpost: Anything and everything goes.
  • RISA: Star Trek memes and shitposts

Community rules (click to expand)

1. Follow the site-wide rules
  • Instance-wide TOS: https://legal.lemmy.world/tos/
  • Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of “peasantry” to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
4. No recent reposts
  • Everybody uses Arch btw, can’t quit Vim, and wants to interject for a moment. You can stop now.

Please report posts and comments that break these rules!

Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 554 users / day
  • 3.51K users / week
  • 6.9K users / month
  • 18.5K users / 6 months
  • 1 local subscriber
  • 21.1K subscribers
  • 1.24K Posts
  • 54.7K Comments
  • Modlog
  • mods:
  • Kevin@lemmy.world
  • zephyr@lemmy.world
  • rtxn@lemmy.world
  • BE: 0.19.5
  • Modlog
  • Instances
  • Docs
  • Code
  • join-lemmy.org