Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.
https://www.openwall.com/lists/oss-security/2024/03/29/4
This might even have been done on purpose by the upstream devs.
Developing story, please take with a grain of salt.
The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.
#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH
scy /
npub15p…khvce
2024-03-29 17:29:45
Author Public Key
npub15pc5vt5kqgr60g389gl4n5zzuktz8wezz76klym9ew3puy3p8clqckhvcePublished at
2024-03-29 17:29:45Event JSON
{
"id": "04fe4e4b06f2b643cbb3af080959268ac763e11342c28ab114042675e37e8ae2",
"pubkey": "a071462e960207a7a2272a3f59d042e59623bb2217b56f9365cba21e12213e3e",
"created_at": 1711729785,
"kind": 1,
"tags": [
[
"t",
"xz"
],
[
"t",
"lzma"
],
[
"t",
"itsecurity"
],
[
"t",
"backdoor"
],
[
"t",
"openssh"
],
[
"t",
"liblzma"
],
[
"t",
"ssh"
],
[
"proxy",
"https://chaos.social/users/scy/statuses/112179923213543143",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://chaos.social/users/scy/statuses/112179923213543143",
"pink.momostr"
]
],
"content": "Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.\n\nhttps://www.openwall.com/lists/oss-security/2024/03/29/4\n\nThis might even have been done on purpose by the upstream devs.\n\nDeveloping story, please take with a grain of salt.\n\nThe 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.\n\n#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH",
"sig": "e08b8b6d1216fa2dfc8b3dd11904f63ff5ffe21db514eb444804fb2f7cfb034dd11c783b914be6b543b4b49db063da6ec9634d5cf369b7e361125bc5f989455f"
}