04:17:07 https://social.restless.systems/@ncommander/112176985100187327 16:12:32 Hello folks! 16:12:44 I'm wearing my security@ hat right now. This is now public: 16:12:45 https://www.openwall.com/lists/oss-security/2024/03/29/4 16:14:06 It's a very targetted supply-chain attack on the xz/liblzma package. The good news is that it only affects 5.6.0 & 5.6.1, and that it's designed specifically (it seems) to attack sshd that systemd launches, and becuase systemd it links in (the corrupted) liblzma. 16:14:24 OI ships 5.6.1 AIUI, but from what we can tell it won't affect things. 16:14:59 Still, there is a bad player in the xz space, and it pays to be cautious. 16:15:50 I know OmniOS has 5.6.1 in bloody and under-test 151050. Unsure of other non-SmartOS distros; SmartOS's platform ships 5.2.1. 16:16:19 This vulnerability could affect LX zones for those who use them, as well as any modern LInux that ships xz 5.6.[01]. 16:17:13 I think that's all I can say w/o further guesses or speculation. (That line about "a bad player" is as guess-y/speculattory as I'll get.) 16:18:51 frebsd ships 5.6.0, too. 16:18:53 freebsd 16:23:59 A FreeBSD security officer has said they are not vulnerable, for similar reasons why illumos distros are most likely not vulnerable. (The attack code is very Linux-targetted, trying to suck things out of sshd that gets linked with liblzma) 16:24:41 Please don't panic folks, but do, as you always should be IMHO, be cautious. 16:26:25 thanks danmcd 16:27:44 As noted in the oss-security post, the bit of the build script that links in the extra ELF file with the sshd code checks first to make sure the system is AMD64 (since that's what the ELF object file is compiled for), and that it's Linux & using GNU ld, so non-Linux systems won't have this extra bit of code linked in 16:28:53 but the same github account that introduced this also made several hundred other commits to xz over the past year or two, and no one has had time to scrutinize all of those yet to see if there were any other changes to be concerned about 16:31:46 * nomad is once again happy to not be on the bleeding edge (or anywhere near it). 16:36:33 Yep... would be interesting to get an audit of what xz revs this github account has touched. 16:43:24 Looks like OI updated to 5.6.0 on 2024-02-28 and 5.6.1 on 2024-03-11 16:45:55 Yep. Sorry I couldn't say anything earlier. 21:25:40 It strikes me as premature to say illumos/freebsd are not affected. The github account which apparently made the malicious commits has been a contributor to the project for ~2 years 21:27:32 The backdoor as-discovered apparently only affected Debian/RHEL, but, there is a lot which we don't know, which we should be mindful of.