this post was submitted on 31 Mar 2024
83 points (95.6% liked)
Explain Like I'm Five
14270 readers
15 users here now
Simplifying Complexity, One Answer at a Time!
Rules
- Be respectful and inclusive.
- No harassment, hate speech, or trolling.
- Engage in constructive discussions.
- Share relevant content.
- Follow guidelines and moderators' instructions.
- Use appropriate language and tone.
- Report violations.
- Foster a continuous learning environment.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
TL;DR don't worry (for now) - it only impacts rpm and deb builds and impacted releases only really made it into OpenSuSe tumbleweed - if you're running bleeding edge maybe you need to worry a little.
A laymans explanation about what happens is that the malicious package uses an indirect linkage (via systemd) to openssh and overrides a crypto function which either:
Or both!
I have secondhand info that privately the reverse engineering is more advanced, but nobody wants to lead with bad info.
As for what you should do? Unless you're running an rpm or deb based distro and you have version 5.6.0 or 5.6.1 of xz-utils installed, not much. If you are, well, that comes down to your threat model and paranoia level: either upgrade (downgrade) the package to a non-vulnerable version or dust off and nuke the site from orbit; it's the only way to be sure.
Didn't it also get into Debian testing and Sid?
Debian Sid would be considered "bleeding edge", not sure about Testing. It also made it into Fedora's Sid equivalent, Rawhide and the branch for Fedora 41 (due out in October)