Re: Backdoor in upstream xz-utils

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Backdoor in upstream xz-utils

From:	Tomas Volf
Subject:	Re: Backdoor in upstream xz-utils
Date:	Fri, 29 Mar 2024 21:55:59 +0100

Hello,

On 2024-03-29 13:39:59 -0700, Felix Lechner via Development of GNU Guix and the 
GNU System distribution. wrote:
> > Is there a way we can blacklist known bad versions?
>
> Having said all that, I am not sure Guix is affected.
>
> On my systems, the 'detect.sh' script shows no referece to liblzma in
> sshd.  Everyone, please send additional reports.

If nothing else, our xz is at 5.2.8.  I think the question was if there is a way
to blacklist specific known tarball to ensure no-one updates to it by accident.

(I do not believe Guix would be vulnerable even when built from the malicious
tarball, but that is a separate issue.)

Have a nice day,
Tomas

--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Backdoor in upstream xz-utils, Ryan Prior, 2024/03/29
- Re: Backdoor in upstream xz-utils, Felix Lechner, 2024/03/29
  - Re: Backdoor in upstream xz-utils, Tomas Volf <=
    - Re: Backdoor in upstream xz-utils, Ricardo Wurmus, 2024/03/30
- Re: Backdoor in upstream xz-utils, John Kehayias, 2024/03/29
  - Re: Backdoor in upstream xz-utils, Rostislav Svoboda, 2024/03/31

Prev by Date: Re: Backdoor in upstream xz-utils
Next by Date: Re: Backdoor in upstream xz-utils
Previous by thread: Re: Backdoor in upstream xz-utils
Next by thread: Re: Backdoor in upstream xz-utils
Index(es):
- Date
- Thread