technology

23273 readers

44 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

Jadzia_Dax@hexbear.net

blashork@hexbear.net

context@hexbear.net

EmmaGoldman@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

ZoomeristLeninist@hexbear.net

All Linux users, check your XZ library. You might be infected. (www.cyberkendra.com)

submitted 7 months ago* (last edited 7 months ago) by LibsEatPoop@hexbear.net to c/technology@hexbear.net

10 comments fedilink hide all child comments

If you're running version 5.6.0 or 5.6.1, downgrade immediately.

top 10 comments

sorted by: hot top controversial new old

[–] henfredemars@infosec.pub 2 points 7 months ago (1 children)

Wow! This was so close to perhaps being one of the worst security compromises in open source history.

[–] CoolYori@hexbear.net 2 points 7 months ago (1 children)

For me I feel like we have not had any big security stuff since the whole log4j thing. While this seems bigger they have caught it relatively early. I feel like more people had to panic patch Minecraft servers with log4j.

[–] henfredemars@infosec.pub 1 points 7 months ago (1 children)

My only reservation is that this compromised contributor has been working on the project for a few years. I hope that this is the end of the tunnel and there aren’t more issues to be uncovered with further analysis.

[–] CoolYori@hexbear.net 1 points 7 months ago

Its easy to spiral out of control thinking about how the practice that got us this backdoor is something that is used all over the open source community to build code. In the end we can only evaluate what is in front of us and pray the things lurking in the shadows are something we can deal with when they expose themselves.

[–] AssortedBiscuits@hexbear.net 1 points 7 months ago

Mods should sticky this. This is the third post in this comm about the vulnerability.

[–] Faresh@lemmy.ml 0 points 7 months ago (2 children)

Do not run xz --version. Instead check the version in your package manager.

[–] heyfrancis@lemmy.ml 2 points 7 months ago* (last edited 7 months ago)

debian/ubuntu based distros:
apt show xz-utils
or
dpkg -l | grep xz

redhat/fedora-based:
yum info xz
dnf info xz

arch-based:
pacman -Qi xz

EDIT: correction as suggested below

[–] LibsEatPoop@hexbear.net 1 points 7 months ago (1 children)

Why is that? I know the latter gives you more info, but it's still the same thing isn't it?

[–] Faresh@lemmy.ml 0 points 7 months ago (1 children)

Because you are running the affected software. It's a bad idea to run something if we are aware that it contains or relies on malicious code.

[–] LibsEatPoop@hexbear.net 1 points 7 months ago

Omg obviously. Can't believe I didn't realize that. Thanks for the answer.