On 4/5/24 10:36, wes wrote: > I'm surprised to see that no one has mentioned this on PLUG yet, though > it's been flying around the rest of the tech sphere on the internet pretty > heavily over the last week. I will share it here in case any list member > hasn't seen it yet elsewhere and if anyone is interested in this subject. > > The short version is, someone (potentially many someones) attempted to > insert malicious code into the Linux pipeline which would have resulted in > them being able to log in to any system running that code without > authorization. The attempt was caught before it reached any major level of > distribution and stopped, but the fact that it even got that far is > alarming. > > Here is a NYT article covering the sequence of events in a pretty > approachable way: > > https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html > > And for those who do not feel motivated to create an account on the NYT > website: > > https://archive.ph/tc9bN > >
Interestingly, for those of us that use Slackware64-15.0 Linux (stable), the xz debacle was a non-issue. Even for Slackware64-current, it was a non-issue, but to be on the save side, xz was rebuilt and patched with clean code: ChangeLog Fri Mar 29 20:39:11 UTC 2024 a/xz-5.6.1-x86_64-2.txz: Rebuilt. Seems like a good idea to build this from a git pull rather than the signed release tarballs. :-) The liblzma in the previous packages were not found to be vulnerable by the detection script, but I'd rather not carry the bad m4 files in our sources. Here's a test script for anyone wanting to try it: if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then echo probably vulnerable else echo probably not vulnerable fi Sat Mar 30 18:08:12 UTC 2024 a/xz-5.6.1-x86_64-3.txz: Rebuilt. [PATCH] CMake: Fix sabotaged Landlock sandbox check. We don't build with CMake (yet), but it doesn't hurt to apply this. Ya'll can keep yer fancy pants linux distros with yer systemd, dpkg/apt/yum and other silliness. The Year of the Slackware Linux Desktop 1993 - 2024 -Ed