On 4/5/24 10:36, wes wrote:
> I'm surprised to see that no one has mentioned this on PLUG yet, though
> it's been flying around the rest of the tech sphere on the internet pretty
> heavily over the last week. I will share it here in case any list member
> hasn't seen it yet elsewhere and if anyone is interested in this subject.
>
> The short version is, someone (potentially many someones) attempted to
> insert malicious code into the Linux pipeline which would have resulted in
> them being able to log in to any system running that code without
> authorization. The attempt was caught before it reached any major level of
> distribution and stopped, but the fact that it even got that far is
> alarming.
>
> Here is a NYT article covering the sequence of events in a pretty
> approachable way:
>
> https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
>
> And for those who do not feel motivated to create an account on the NYT
> website:
>
> https://archive.ph/tc9bN
>
>
Interestingly, for those of us that use Slackware64-15.0 Linux (stable),
the xz debacle was a non-issue. Even for Slackware64-current, it was a
non-issue, but to be on the save side, xz was rebuilt and patched with
clean code:
ChangeLog
Fri Mar 29 20:39:11 UTC 2024
a/xz-5.6.1-x86_64-2.txz: Rebuilt.
Seems like a good idea to build this from a git pull rather than the signed
release tarballs. :-)
The liblzma in the previous packages were not found to be vulnerable by the
detection script, but I'd rather not carry the bad m4 files in our sources.
Here's a test script for anyone wanting to try it:
if hexdump -ve '1/1 "%.2x"' /lib*/liblzma.so.5 | grep -q
f30f1efa554889f54c89ce5389fb81e7000000804883ec28488954241848894c2410 ; then
echo probably vulnerable
else
echo probably not vulnerable
fi
Sat Mar 30 18:08:12 UTC 2024
a/xz-5.6.1-x86_64-3.txz: Rebuilt.
[PATCH] CMake: Fix sabotaged Landlock sandbox check.
We don't build with CMake (yet), but it doesn't hurt to apply this.
Ya'll can keep yer fancy pants linux distros with yer systemd, dpkg/apt/yum and
other silliness.
The Year of the Slackware Linux Desktop 1993 - 2024
-Ed
