XZ Backdoor for SSH
-
Hello
Ther is a backdoor (by a "bond?" or other spys ?) in liblzma. This is loade by ssh. this backdoor allow code injection by a "wrong" crypt key. It is a supply chain attac tooooo..
https://www.helpnetsecurity.com/2024/03/31/xz-backdoored-linux-affected-distros/
Did we need a hotfix or workaround or quick update (roolback) in xcp ?
thx Axel
-
Hi,
XCP-ng is not affected at all by this issue
-
I'll investigate this further today to be a 100% sure, but the version of XZ we have is not impacted, plus we build from a copied tarball in our build system, so even if the tarball of this version was impacted later than the time we downloaded the tarball we would not be impacted.
We'll make a communication about it once I finished double checking it.
-
My bad, forgot this was a package we took from CentOS 7, but this package was made prior to JiaT75 starting this journey.
For reference:
-
@bleader Thx for your answer
and good to know
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login