[m3]

According to archlinux today's news, xz package needs urgent update.

Current version is 5.6.1-1 and is compromised.

Any actions for update?

EDIT
xz 5.6.1-2 is now pushed to mirrors.
Kudos

[neildarlow]

The package listing here shows the update as available but it hasn't reached the repositories yet. Can this be expedited? It's a very concerning vulnerability.

EDIT: Reading some background on this, the code-injection logic within the build seems to specifically target only the x86_64 architecture. This might give us some degree of safety but known, not vulnerable, version packages would be best for peace of mind.

[potuz]

make_clickable_callback(MAGIC_URL_FULL, '', 'https://archlinux.org/news/the-xz-package-has-been-backdoored/', '', ' class="postlink"')

My just upgraded arch on ARM v7 still shows an affected version.

[megabaseballdork]

Hey, looks like xz 5.6.1-1 is still what's being shipped currently. Any ETA on a bump?

Background:
[url]https://archlinux.org/news/the-xz-package-has-been-backdoored/[/url]

[mnot]

5.6.1-2 is out, but I don't see it on the mirrors yet.

[graysky]

MOD note: merged

[graysky]

See allan's post:make_clickable_callback(MAGIC_URL_FULL, ' ', 'https://bbs.archlinux.org/viewtopic.php?pid=2160841#p2160841', '', ' class="postlink"')

[quote=Allan][quote=alvrogd][quote=seth]From what has been discovered so far this was a rather specific attack exploiting a downstream patch of sshd in debian and redhat.
I've not compared the binaries myself so I don't vouch for those findings but it's rather likely that your system has never been compromised tbw.[/quote]

I've followed the conversation in the original report, and found some users comparing Arch's xz 5.6.1-1 vs. 5.6.1-2. By disassembling the liblzma library, it appears that the packages might have never been affected by the backdoor, due to the deb/rpm check in the script that decides whether to inject the vulnerability or not.

References:

[url]https://www.openwall.com/lists/oss-security/2024/03/29/17[/url]
[url]https://www.openwall.com/lists/oss-security/2024/03/29/20[/url]
[url]https://www.openwall.com/lists/oss-security/2024/03/29/22[/url][/quote]


This is the important bit. There was not issue with Arch because the backdoor checked if xz was being built on an RPM or Deb based system before it was activated. The rebuild is purely precautionary, and completely unneeded.[/quote]

[technosf]

TY graysky!