Seth Larson: "xz/liblzma backdoor (CVE-2024-…" - Fosstodon

Recent searches

Search options

Only available when logged in.

Seth Larson @sethmlarson@fosstodon.org

xz/liblzma backdoor (CVE-2024-3094) is trending.

https://openwall.com/lists/oss-security/2024/03/29/4

#Python bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. #PyPI is also not affected due to using Debian Bookworm, not Sid.

Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.

From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.

openwall.comoss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Mar 29, 2024, 07:03 PM·

12boosts·14favorites

Seth Larson @sethmlarson

https://discuss.python.org/t/cpython-pypi-and-many-python-packages-are-not-affected-by-the-backdoor-of-xz/49873

Discussions on Python.org · Mar 29, 2024CPython, PyPI, and many Python packages are not affected by the backdoor of xzNote that this is actively unfolding event so we might not have all the facts straight right now, if anything changes this thread will be updated appropriately. It was posted on Openwall earlier today that the xz-utils project (also known as xz and liblzma) had a malicious backdoor committed and published in the v5.6.0 and v5.6.1 releases of the project. CVE-2024-3094 has been assigned to this event. The Python Security Response Team was alerted due to the CPython project bundling xz for the...

Sean Gillies @sgillies@mastodon.social

@sethmlarson Thank you for staying on top of this!

Hynek Schlawack @hynek@mastodon.social

@sethmlarson *debian bookworm

(I got really confused for a sec )

Seth Larson @sethmlarson

@hynek ahhh! Good eye, fixed.

Drag & drop to upload