backdoor in upstream xz/liblzma leading to ssh server compromise

Atemu@lemmy.ml to Linux@lemmy.ml – 518 points –
openwall.com
99

You are viewing a single comment

And you know what? Doing updates once a week saved me from updating to this version :)

I upgraded to 5.6.0-1 on the 28th Februar already. Over a month ago. On a server. That's the first time Arch testing has fucked me so hard lol.

Having arch has benefits because of more up to date packages but ofc as it happened to you, it introduces more risks

You probably are fairly safe. Yeah, okay, from a purely-technical standpoint, your server was wide-open to the Internet. But unless some third party managed to identify and leverage the backdoor in the window between you deploying it and it being fixed, only the (probably state-backed) group who are doing this would have been able to make use of it. They probably aren't going to risk exposing their backdoor by exploiting it on your system unless they believe that you have something that would be really valuable to them.

Maybe if you're a critical open-source developer, grabbing your signing keys or other credentials might be useful, given that they seem to be focused on supply-chain attacks, but for most people, they probably just aren't worth the risk. Only takes them hitting some system with an intrusion-detection system that picks up on the breakin, them leaving behind traces, and some determined person tracking down what happened, and they've destroyed their exploit.