cjcox
2[H]4U
- Joined
- Jun 7, 2004
- Messages
- 2,956
So full details are still in progress. But a successful backdoor has been inserted into the code base of xz and it's library as used by many program, including, for example, openssh
The impact, while not completely described likely will result in an in memory all access key allowing remote access for those with Internet facing ssh. But, again, that's still early reports.
The answer is to revert (for now) xz to version 5.4 away from the vulnerable 5.6 version.
This one is big, probably biggest security issue ever for Linux, but again, really affecting those with more contemporary systems running. Everyone needs to take inventory, patch and/or shutdown. If compromised, you may have a whole lot more work to do.
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
The impact, while not completely described likely will result in an in memory all access key allowing remote access for those with Internet facing ssh. But, again, that's still early reports.
The answer is to revert (for now) xz to version 5.4 away from the vulnerable 5.6 version.
This one is big, probably biggest security issue ever for Linux, but again, really affecting those with more contemporary systems running. Everyone needs to take inventory, patch and/or shutdown. If compromised, you may have a whole lot more work to do.
https://nvd.nist.gov/vuln/detail/CVE-2024-3094