• bruhduh
      link
      3
      edit-2
      3 months ago

      Is linux 6.1 vulnerable to heartbleed? I’m on lmde6 with linux 6.1 btw) edit: as other comment said debian 12 is good so everything alright

        • Hello Hotel
          link
          English
          -2
          edit-2
          3 months ago

          Its a CPU bug only the kernel can fix 🤒. The kernel is responsible for its running hardware.

          Am I dumb? that’s the spectere and meltdown bug. xz-utils malware is a whole other thing, lol.

            • Hello Hotel
              link
              English
              23 months ago

              Clearly not, lol. Every vulnerability is spectere aparently. (To be fair, the other CVE this week is hardware based)

              • @[email protected]
                link
                fedilink
                33 months ago

                Heartbleed isn’t new either. It’s from years ago. It’s also unrelated to the xz backdoor. Maybe you should get some rest. Check your carbon monoxide alarms are working. If not see a doctor. It sounds like you are having memory issues.

  • @recapitated
    link
    1043 months ago

    The xz infiltration is a proof of concept.

    Anyone who is comforted by the fact they’re not affected by a particular release is misguided. We just don’t yet know the ways in which we are thoroughly screwed.

    • @BURN
      link
      203 months ago

      This is a huge wake up call to OSS maintainers that they need to review code a lot more thoroughly. This is far from the last time we’re going to see this, and it probably wouldn’t have been caught if the attacker hadn’t been sloppy

      • @[email protected]
        link
        fedilink
        English
        28
        edit-2
        3 months ago

        https://upvote.au/comment/818245

        Nah, I’d say the chap was pretty unsloppy.
        Just that we were lucky that someone found it.

        It’s a good thing that xz is a type of program that people may want to profile.

        But this is an eye opener for people saying that Linux is “secure” (not more secure, but just secure .) because the code has many eyes on it. --> jump to digression.

        This confirms my suspicion that we may be affected by the bystander effect, so we actually have less eyes than required for this.


        digression:

        • of course I don’t mean that this makes Linux less secure than Windows. The point that it makes it more secure than Windows/MacOS or other closed source systems is already apparent.
          • Just that, we can’t consider Linux to be secure (without comparing it to something less secure) as many ppl would, when evangelising Linux.

        My point being, tell the whole truth. The newbie that’s taking your advice will thank you for that later on.

        • @BURN
          link
          153 months ago

          The reason I consider this sloppy is because he altered default behavior. Done properly, an injection like this probably could have been done with no change to default behavior, and we’d be even less likely to have gotten lucky.

          Looking back we can see all the signs pointing to it, but it still took a lot of getting lucky to find it.

          I’ve always considered the “source is open so people can check for vulnerabilities” saying a bit ironic, because I’d bet 99% of us never look, nor could find it if we were looking. The bystander effect is definitely here as we all just assume someone else has audited it.

          • @[email protected]
            link
            fedilink
            English
            33 months ago

            Done properly, an injection like this probably could have been done with no change to default behaviour,

            Interesting.
            So the sloppiness was in the implementation and not the social engineering.
            But then of course, people tend to be not good at both, fooling people and fooling programmers/computers at the same time. In this case, the chap turned out to be better at fooling people than programmers/computers.


            And I am being sloppy for not trying to learn enough about exploits even though I should have a good enough programming base to start it.

        • TheHarpyEagle
          link
          53 months ago

          It’s a rough balance when you’re trying to convince people unfamiliar with the internals (let alone non technical people) to make the switch. Saying “Linux is safe, but not bulletproof” may scare them back to the devil they know even if there’s no greater guarantee of safety there.

          • @[email protected]
            link
            fedilink
            English
            1
            edit-2
            3 months ago

            Of course, maybe I am being too hard on people by expecting everyone to put more thought into everything they make a decision for. But it is in fact the lack of thought that tends to cause problems in all areas we see nowadays.
            But that’s a topic for somewhere else.


            We can simply go by “Linux is more bulletproof than Windows”; instead of calling it “safe”, which would also be wrong.
            Also with, “Windows will shoot you with intent, Linux might just get some stray shrapnel.”

      • @recapitated
        link
        33 months ago

        And to have strong and continuous analysis of software bills of materials.

    • Possibly linux
      link
      fedilink
      English
      63 months ago

      I’m just waiting for the backdoor to be found in Firefox and Chromium or some library shared by most applications.

      • exu
        link
        fedilink
        English
        53 months ago

        Like libwebp a few months back? Or Log4j?

      • @Gabu
        link
        23 months ago

        The thing about browsers is that there are so many accidental exploits already, it makes little sense to introduce your own on top of it.

    • @[email protected]
      link
      fedilink
      -23 months ago

      I always just assumed all the distros I use have backdoors as a fact of life. I take comfort in not being a person of interest to anyone and just blend in with the crowd. I also don’t use windows because for every backdoor my Debian may have, windows will have 100 more. Servers don’t get hacked all the time because it is not linux->internet, it is linux->bunch of stuff->internet, but I am sure backdoors are there.

  • u/lukmly013 (lemmy.sdf.org)
    cake
    link
    fedilink
    English
    793 months ago

    Your Debian stable system is so ancient you got bigger vulnerabilities to worry about: Panik!

    Also the problem was that Debian’s sshd linked to liblzma for some systemd feature to work. This mod was done by Debian team.

    • @Dasnap
      link
      1163 months ago

      Liblzma balls

      • @UckyBon
        link
        243 months ago

        But do it in private, don’t let my xz.

    • Delilah (She/Her)
      link
      fedilink
      English
      353 months ago

      Even if you’re using debian 12 bookworm and are fully up to date, you’re still running [5.4.1].

      The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it’s users know perfectly well.

      • piefedderatedd
        link
        fedilink
        23 months ago

        There was a comment on Mastodon or Lemmy saying that the bad actor had been working with the project for two years so earlier versions may have malicious code as well already.

        • @mumblerfish
          link
          53 months ago

          Distros like gentoo reverted to 5.4.2 for that reason. If debian stable is on 5.4.1 that should be ok.

        • @[email protected]
          link
          fedilink
          53 months ago

          They did but the malware wasn’t fully implemented yet. They spent quite a while implementing it, I guess to try and make it less obvious.

      • u/lukmly013 (lemmy.sdf.org)
        cake
        link
        fedilink
        English
        83 months ago

        Mostly a joke about him calling it “ancient”, but there may be some unpatched vulnerabilities in older software. Though there could also be some new ones in newest versions.
        Still, unless it’s Alpha/Beta/RC, it’s probably better to keep it up-to-date.

        • Scroll Responsibly
          link
          fedilink
          113 months ago

          Debian patches security vulnerabilities in stable. They don’t change the version numbers or anything but they do fix security holes.

        • Possibly linux
          link
          fedilink
          English
          103 months ago

          Debian responds to security issues in stable within a fairly short window. They have a dedicated security team.

  • oce 🐆
    link
    fedilink
    50
    edit-2
    3 months ago

    The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

    “Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

    That really sucks. This kind of thing can make people and companies lose trust in open source. I wonder if we will learn the reason behind that. I would guess the developer was paid a lot of money by some organization to risk ruining his reputation like that.

    • @sep
      link
      523 months ago

      Like the exact same thing can not happen in a closed source codebase. It probably does daily. Since closed codebases the due dilligence and reviews cost money, and nobody can see the state. They are intentionally neglected.
      Open source nor closed source is immune to the 5$ wrench hack

    • @Wooki
      link
      48
      edit-2
      3 months ago

      No, its the exact opposite.

      Supply chain conpromise is a level of risk to manage not unique to FOSS. Ever heard of sunburst? It resulted in a lot of Microsofts cloud customers getting wreaked all because their supply chain was compromised.

      Do people continue to buy into 365 and Azure? Yes. Without care.

      So will this hurt open source projects? Not at all, in fact it will benefit them, highlight just why source code SHOULD be open source and visible to all! We would have had very little to no visibility and capability to monitor closed source. Let alone learn, improve and harden how projects can protect against this increasingly more common attack.

      • oce 🐆
        link
        fedilink
        153 months ago

        Yeah, I agree but I know some companies will have stupid thoughts like “a company employee is less likely to do that” or “at least we have an employment contract to back us up legally”.

      • oce 🐆
        link
        fedilink
        43 months ago

        Certainly, that’s why I said organization to be vague.

        • @PainInTheAES
          link
          53 months ago

          Sorry I should have been more clear too. I was trying to convey that the dev could have been paid off/threatened or it could be the work of a state actor or team of state actors under an alias. In one case they could care about their reputation but in the other maybe not.

          • @[email protected]
            link
            fedilink
            13 months ago

            By the sounds of it it was an organised social engineering attack. Almost certainly “Jia Tan” is not a real person, or if it is a real person then it’s a case of stolen identity. Even if I were being threatened to put a backdoor in some software I wouldn’t do it under my real name.

  • @shotgun_crab
    link
    49
    edit-2
    3 months ago

    Still paniking, cause the backdoor was apparently targetting Debian servers, it was discovered just by chance and the “mantainer” made commits for 2 years in the same repo

    • Possibly linux
      link
      fedilink
      English
      113 months ago

      The fact that this was planned is what makes me nervous. Imagine what else is lurking.

      • @[email protected]
        link
        fedilink
        283 months ago

        and it was only discovered accidentally, when someone was profiling some stuff, noticed SSH using a bit too much CPU power when receiving connections even for invalid usernames/passwords, and spent the time to investigate it more deeply. A lot of developers aren’t that attentive, and it could have easily snuck through.

  • @[email protected]
    link
    fedilink
    373 months ago

    That’s basically the idea of having a stable branch. Where all packages have 2+ years of testing and revisions.

    • @TangledHyphae
      link
      0
      edit-2
      3 months ago

      The slowness is on purpose? To help identify the sshd in question to the attacker which nodes are compromised? What reason(s) could there be?

      • @[email protected]
        link
        fedilink
        English
        63 months ago

        He’s talking about Debian’s slowness in getting new versions to stable, and how the meme ignores security backports.

        • @TangledHyphae
          link
          13 months ago

          Ohh that makes way more sense, thanks. I haven’t used Debian in like 10 years but it was obviously the same back then too.

      • @mumblerfish
        link
        23 months ago

        If the above decides to continue, the code appears to be parsing the symbol tables in memory. This is the quite slow step that made me look into the issue.

        That is from the original find. Not sure the relevance of it and this being proof for it being “on purpose”. But that is the origin of the slowness.

        • @TangledHyphae
          link
          13 months ago

          I doubt that was intentional, they would likely want to hide that latency but the CPU time required to scan everything just is what it is.

          https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

          The hooked RSA_public_decrypt verifies a signature on the server’s host key by a fixed Ed448 key, and then passes a payload to system().

          It’s RCE, not auth bypass, and gated/unreplayable.

      • @Samueru
        link
        23 months ago

        I recently ran into a bug in the latest version of cmake that breaks it completely in my system, can’t compile shit and it just does a coredump.

        What is worse is that I can’t even report the bug because I can’t get the registration email from the cmake gitlab. I checked the manjaro repos and their cmake version is 2 versions older than the one that has the bug that left me thinking for a while lol.

      • @[email protected]
        link
        fedilink
        13 months ago

        Tbh Manjaro has made my system unbootable before with a system update, base Arch has never done that for me. I think Manjaro is just poorly constructed, or maybe it’s bc of all the packages that come pre installed with it causing problems. Minimal installs ftw

        • @[email protected]
          link
          fedilink
          13 months ago

          i had bootfails on both systems, shit happens just boot from usb then changeroot into your system to repair

    • bruhduh
      link
      13 months ago

      deleted by creator

    • Possibly linux
      link
      fedilink
      English
      13 months ago

      In this case the slower updates payed off. There are many things wrong with Manjaro but slower updates is not one of them.

        • Possibly linux
          link
          fedilink
          English
          13 months ago

          Well honestly holding packages is one of the only good things I hear

      • @[email protected]
        link
        fedilink
        2
        edit-2
        3 months ago

        It’s not though, because the malicious release happened more than two weeks ago and manjaro had to fast track the patched xs from arch git repo. This is why manjaro should extend their delayed update policy to catch this kind of issue in the future (maybe 2 months instead of 2 weeks) /s

        • Possibly linux
          link
          fedilink
          English
          23 months ago

          They honestly should as it probably would fix a lot of issues. Then again, Manjaro is so broken that it probably doesn’t matter

  • Possibly linux
    link
    fedilink
    English
    183 months ago

    How about you just use any stable system. For instance, stable Fedora wasn’t affected