Hi all, Just posting this for general interest, seeing as IPFire uses OpenSSH (I think):
https://mybroadband.co.za/news/security/530843-a-superhero-hacker-saved-the-internet-this-weekend.html
That is indeed interesting. I wonder how many times it happens over a given period, cause it does.
Lets face it, proper procedures covering “everything” is lacking, not always because of unawareness, but because of the financial impact having them.
Securing a product might cost more than developing it.
There is already a thread about this topic:
well I did not understand that thread…
@arne_f My apologies, I did not realise that was about the same issue.
IPFire is not affected by this attack.
- stable verions (core184) not contain the backdoored liblzma
- testing versions (core185) prior 2024-03-31 have the problematic liblzma but ssh not use it.
If you are on core185 from testing you should check the version of liblzma by “xz --version” and reinstall the update if it was 5.6.x
Mark, good article, human factor was the main culprit,
The main dev got bullied in to accepting someone unknown as a lead.
If I understood correctly
- You need to be running a distro that uses glibc (for IFUNC)
- You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.
This Gist was updated 27 min ago
I think I am ok right now,
My other debian machines are versions 5.2.5, but have to keep checking what other facts come out
# xz --version
xz (XZ Utils) 5.2.5
liblzma 5.2.5