BleepingComputerThe XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.
Brandon Mitchell@BleepingComputer the response from Docker highlights why this is a non-issue.
- Anyone using this pinned to a very old state of the unstable or testing branch of Debian.
- They'd need to run systemd inside a container (very rare).
- Then run sshd in that container (kinda rare).
- And what's not listed is they also need to expose that sshd instance to the Internet.
At that point, an attacker might be able to access a very poorly designed and unmaintained container.
Andy H@bmitch @BleepingComputer Yep. (BTW it was a response from Debian not Docker).
@ToshInMacc @BleepingComputer tianon (in the screenshot) is a Docker employee, despite what the article claims. https://github.com/tianon
@bmitch @BleepingComputer ah interesting, thanks.