Backdoor in upstream xz/liblzma leading to ssh server compromise
Backdoor in upstream xz/liblzma leading to ssh server compromise
Backdoor in upstream xz/liblzma leading to ssh server compromise
You're viewing a single thread.
A nice tl;dr was https://news.ycombinator.com/item?id=39866307
Copied here:
For those panicking, here are some key things to look for, based on the writeup:
Debian testing already has a version called '5.6.1+really5.4.5-1' that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.
It is possible there are other flaws or backdoors in liblzma5, though.
5.6.1+really5.4.1
Most sane Debian package management
They really ought to have version masking like in Gentoo portage.
Package management deserves more love on Debian, indeed. Yet they apparently have the largest collection of packages...