fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

I accidentally found a security issue while benchmarking postgres changes.

If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.

openwall.com/lists/oss-securit

www.openwall.comoss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
Gordon Messmer

@AndresFreundTec Thank you so much for finding this!

The questions at the top of my mind now are: who will fork and continue maintenance of xz? How will we determine that we can trust them? And how will we apply those lessons throughout the larger ecosystem?

@gordonmessmer @AndresFreundTec i read that many projects migrate to zstd anyway ¯\_(ツ)_/¯

@malte @AndresFreundTec There's still a lot of data out there already in xz format, so merely dropping the software would mean that that data becomes unreadable. Dropping it may be an option, but I'm not sure it's the best option.

@gordonmessmer @malte @AndresFreundTec True, but xz isn't the only library capable of decoding lzma. 7-zip, for example.