You are viewing a single thread.
View all comments
29 points
*

Simply excluding this backdoor does not seem to be sufficient. The malicious actor has contributed over 750 commits to xz, all of which could contain further backdoors.

Downgrading to the last version without any contributions from the malicious actor is not possible either, because of new functionalities and other security issues that were fixed in the meantime. Uninstalling xz is also not possible, because half my system depends on it.

I guess it will take some time to sort all of that out. I am very impressed by the fast and coordinated response to this incident by the FOSS community.

permalink
report
reply
17 points

This is just speculation, but I think this was a long planned attack. I think it’s unlikely any previous backdoors or significant security vulnerabilities would have been introduced, the goal was to establish themselves as a legitimate contributor and then sneak one critical backdoor in unnoticed. Sneaking in multiple vulnerabilities would have increased the risk of detection.

From what I understand they did cause a conflict with another package, and then used that to try to justify having the backdoored versions of the package fast tracked into upcoming Debian and fedora releases. But that would also suggest that their whole goal was shipping this one backdoor.

permalink
report
parent
reply
9 points
*
2 points

Well that’s unfortunate

permalink
report
parent
reply

Arch Linux

!archlinux@lemmy.ml

Create post

The beloved lightweight distro

Community stats

  • 134

    Monthly active users

  • 320

    Posts

  • 2.2K

    Comments

Community moderators