Russ Allbery <r...@debian.org> writes: > Sirius <sir...@trudheim.com> writes:
>> This is quite actively discussed on Fedora lists. >> https://www.openwall.com/lists/oss-security/2024/ >> https://www.openwall.com/lists/oss-security/2024/03/29/4 >> Worth taking a look if action need to be taken on Debian. > The version of xz-utils was reverted to 5.4.5 in unstable yesterday by > the security team and migrated to testing today. Anyone running an > unstable or testing system should urgently upgrade. I think the big open question we need to ask now is what exactly the backdoor (or, rather, backdoors; we know there were at least two versions over time) did. If they only target sshd, that's one thing, and we have a bound on systems possibly affected. But liblzma is linked directly or indirectly into all sorts of things such as, to give an obvious example, apt-get. A lot of Debian developers use unstable or testing systems. If the exploit was also exfiltrating key material, backdooring systems that didn't use sshd, etc., we have a lot more cleanup to do. I think this question can only be answered with reverse-engineering of the backdoors, and I personally don't have the skills to do that. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
