XZ Backdoor for SSH
-
Hello
Ther is a backdoor (by a "bond?" or other spys ?) in liblzma. This is loade by ssh. this backdoor allow code injection by a "wrong" crypt key. It is a supply chain attac tooooo..
https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/
Did we need a hotfix or workaround or quick update (roolback) in xcp ?
thx Axel
-
Hi,
XCP-ng is not affected at all by this issue
-
I'll investigate this further today to be a 100% sure, but the version of XZ we have is not impacted, plus we build from a copied tarball in our build system, so even if the tarball of this version was impacted later than the time we downloaded the tarball we would not be impacted.
We'll make a communication about it once I finished double checking it.
-
My bad, forgot this was a package we took from CentOS 7, but this package was made prior to JiaT75 starting this journey.
For reference:
-
@bleader Thx for your answer and good to know