• Delilah (She/Her)
    link
    fedilink
    English
    358 months ago

    Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].

    The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.

    • piefedderatedd
      link
      fedilink
      28 months ago

      There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.

      • @[email protected]
        link
        fedilink
        58 months ago

        They did but the malware wasn’t fully implemented yet. They spent quite a while implementing it, I guess to try and make it less obvious.

      • @mumblerfish
        link
        58 months ago

        Distros like gentoo reverted to 5.4.2 for that reason. If debian stable is on 5.4.1 that should be ok.