https://www.openwall.com/lists/oss-security/2024/03/29/4
How does this affect the security of IPFire?
Regards
I am looking at it at the moment.
It looks to me that IPFire does not have liblzma linked to ssh so the sshd on IPFire should not be affected by that issue.
As a precaution don’t make the IPFire sshd internet facing by allowing access from RED, which is the recommended way to run it anyway.
If you meed to access the ssh server on IPFire best to access it via an OpenVPN or IPSec tunnel.
4 Likes
FWIW, looking into this as well.
I concur with @bonnietwin’s assessment that IPFire is not affected, and that there is no reason to panic. Will post a complete preliminary assessment to the development mailing list once I’m done, and will link it here.
In the meantime, please stay tuned for updates, but don’t panic - there is no need for that. 
Thanks, and best regards,
Peter Müller
6 Likes
Tl;dr: Stable versions of IPFire are not affected, the upcoming Core Update 185 contains a known backdoored xz version, but is very likely unaffected by the SSH backdoor unveiled today (and so far, we don’t know about any other backdoors added to xz).
If you are running Core Update 184, you are fine. Nevertheless, we continue to strongly recommend not to expose your IPFire’s SSH server directly to the internet.
Thanks, and best regards,
Peter Müller
6 Likes
You can check the version with xz --version
if here is liblzma 5.6.x is reported you have installed the backdored version.
If you are already on core core185/186:
switch to testing tree (if you are in unstable) and set
/opt/pakfire/db/core/mine
back to 184 and reinstall core185 with:
pakfire update --force
pakfire upgrade
1 Like
Edit
Before the upgrade
IPFire 2.29 (x86_64) - Core-Update 185 Development Build: master/0564584a
After upgrade according to instructions
IPFire 2.29 (x86_64) - Core-Update 185 Development Build: master/bb46f3be
Regards
You have not reinstalled core185.
the fixed version is:
IPFire 2.29 (x86_64) - Core-Update 185 Development Build: master/bb46f3be