When the xz backdoor was discovered, I quickly uninstalled my Arch based setup with an infected version of the software and switched to a distro that shipped an older version (5.5 or 5.4 or something). I found an article which said that in 5.6.1-3 the backdoor was “fixed” by just not letting the malware part communicating with the vulnerable ssh related stuff and the actual malware is still there? (I didn’t understand 80% of the technical terms and abbreviations in it ok?) Like it still sounds kinda dangerous to me, especially since many experts say that we don’t know the other ways this malware can use (except for the ssh supply chain) yet. Is it true? Should I stick with the new distro for now or can I absolutely safely switch back and finally say that I use Arch btw again?

P. S. I do know that nothing is completely safe. Here I’m asking just about xz and libxzlk or whatever the name of that library is

EDIT: 69 upvotes. Nice

  • pastermil
    link
    fedilink
    arrow-up
    36
    ·
    7 months ago

    To add to your point: The .deb ones are most likely safe, since it would only be on the unstable & experimental branches. Your garden variety production servers & personal computers should be fine. That is unless you’re into some unusual setup like with playing around with the upcoming version, or for some reason are pulling your own xz build.

    Can’t speak for the .rpm tho.

    • narc0tic_bird@lemm.ee
      link
      fedilink
      arrow-up
      12
      ·
      7 months ago

      Fedora 39 and 40 (which is still in beta) uses xz 5.4. Fedora 41/rawhide (essentially the development branch) was affected it seems: https://access.redhat.com/security/cve/CVE-2024-3094. CentOS Stream and RHEL have way more outdated packages than that, so they were never vulnerable to this backdoor.

      openSUSE Tumbleweed (their rolling release) was affected: https://news.opensuse.org/2024/03/29/xz-backdoor/, Enterprise or Leap were unaffected.

      • pastermil
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Ah, so the .rpm is pretty much like the .deb in that it’s mostly unaffected. Speaking of, I think the .deb side may have VanillaOS affected since it’s based on Debian’s unstable branch.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      7
      ·
      7 months ago

      Yeah, I checked myself when this was first a thing. Debian 12 and Ubuntu 22.04 latest are on 5.4 and 5.2 respectively.

    • 30p87@feddit.de
      link
      fedilink
      arrow-up
      4
      ·
      7 months ago

      “Safe” is a strong word to use. It’s safe from that specific backdoor, and it seems like the known backdoor was the main goal of the attackers, but we don’t know if they’re playing 4D-Chess and have already implemented another backdoor which they’re actively using.