Gaelan Steele on Nostr: holy fuck: https://www.openwall.com/lists/oss-security/2024/03/29/4 tl;dr: libxz ...
holy fuck: https://www.openwall.com/lists/oss-security/2024/03/29/4
tl;dr: libxz backdoored by its maintainer; the malicious libxz detects if it's been linked into opensshd (which doesn't actually use libxz, but many distros patch it to use libsystemd, and libsystemd uses libxz) and, if so, does something (as yet unclear exactly what) to opensshd's RSA_public_decrypt()
appears to target Debian and Fedora, and didn't make it into stable versions of either, so you're probably fine unless you're running Fedora 41/rawhide or Debian testing
tl;dr: libxz backdoored by its maintainer; the malicious libxz detects if it's been linked into opensshd (which doesn't actually use libxz, but many distros patch it to use libsystemd, and libsystemd uses libxz) and, if so, does something (as yet unclear exactly what) to opensshd's RSA_public_decrypt()
appears to target Debian and Fedora, and didn't make it into stable versions of either, so you're probably fine unless you're running Fedora 41/rawhide or Debian testing