[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Backdoor in upstream xz-utils
From: |
Tomas Volf |
Subject: |
Re: Backdoor in upstream xz-utils |
Date: |
Fri, 29 Mar 2024 21:55:59 +0100 |
Hello,
On 2024-03-29 13:39:59 -0700, Felix Lechner via Development of GNU Guix and the
GNU System distribution. wrote:
> > Is there a way we can blacklist known bad versions?
>
> Having said all that, I am not sure Guix is affected.
>
> On my systems, the 'detect.sh' script shows no referece to liblzma in
> sshd. Everyone, please send additional reports.
If nothing else, our xz is at 5.2.8. I think the question was if there is a way
to blacklist specific known tarball to ensure no-one updates to it by accident.
(I do not believe Guix would be vulnerable even when built from the malicious
tarball, but that is a separate issue.)
Have a nice day,
Tomas
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature