Mastodawn

Vanta Puce Mar 29, 2024

If you run a testing/unstable linux distro, check your xz versions asap for a potential backdoor affecting ssh auth: https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Show thread

Kevin Karhan

Mar 30, 2024

@starchy does this also affect the toolchain for @linux / #Linux #Kernel?

Cuz I do set #kernel666 and the #initramfs for @OS1337 to be compressed with #xz and whilst it's statically compiled against @musl, I still want to enshure this isn't a #SupplyChainAttack affecting me or OS/1337.

#SupplyChain #OS1337

Show thread

Vanta Puce Mar 30, 2024

@kkarhan My read is that musl builds wouldn't have triggered this backdoor, but I'm not an expert and @OS1337 should probably do their own investigation to rule it out

Show thread

Kevin Karhan

Mar 30, 2024

@starchy That's why I'm asking.

I am the maintainer of @OS1337 and I do want to enshure it's not affected by it...

After all, it uses @linux, @musl, #Toybox and #dropbear and for building it does utilize the #GCC since it seems.as if #Linux doesn't like being built by #LLVM...

Show thread

QuadRadical Mar 30, 2024

@kkarhan @starchy @OS1337 @linux @musl I think musl distros aren't affected, see alpines post

Show thread

Kevin Karhan

@QuadRadical @starchy @OS1337 O.O

Which post?

Show thread

QuadRadical Mar 30, 2024

@kkarhan @starchy @OS1337 see this thread: https://fosstodon.org/@alpinelinux/112180943341652681

Alpine Linux :alpine: (@[email protected])

Alpine Linux is not affected by CVE-2024-3094 (backdoor in upstream xz/liblzma leading to ssh server compromise).

Fosstodon

thx.

@QuadRadical also apparently it aims to compromize #SSH servers, so technically even if @OS1337 didn't use #dbclient [which is #dropbear build solely as SSH-#client] it may not even affect it at all since dropbear comes with it's own stuff...

Not shure if it uses said library at all...