Panik: your Debian stable system is so ancient it still contains the heartbleed bug.
110I thought Debian does do security patches
14Of course it was patched in all affected Debian versions: https://security-tracker.debian.org/tracker/CVE-2014-0160
16
The xz infiltration is a proof of concept.
Anyone who is comforted by the fact they're not affected by a particular release is misguided. We just don't yet know the ways in which we are thoroughly screwed.
104This is a huge wake up call to OSS maintainers that they need to review code a lot more thoroughly. This is far from the last time we’re going to see this, and it probably wouldn’t have been caught if the attacker hadn’t been sloppy
20https://upvote.au/comment/818245
Nah, I'd say the chap was pretty unsloppy.
Just that we were lucky that someone found it.It's a good thing that
xzis a type of program that people may want to profile.But this is an eye opener for people saying that Linux is "secure" (not more secure, but just secure .) because the code has many eyes on it. --> jump to digression.
This confirms my suspicion that we may be affected by the bystander effect, so we actually have less eyes than required for this.
digression:
- of course I don't mean that this makes Linux less secure than Windows. The point that it makes it more secure than Windows/MacOS or other closed source systems is already apparent.
- Just that, we can't consider Linux to be secure (without comparing it to something less secure) as many ppl would, when evangelising Linux.
My point being, tell the whole truth. The newbie that's taking your advice will thank you for that later on.
28- of course I don't mean that this makes Linux less secure than Windows. The point that it makes it more secure than Windows/MacOS or other closed source systems is already apparent.
And to have strong and continuous analysis of software bills of materials.
3
I'm just waiting for the backdoor to be found in Firefox and Chromium or some library shared by most applications.
6Like libwebp a few months back? Or Log4j?
5The thing about browsers is that there are so many accidental exploits already, it makes little sense to introduce your own on top of it.
2
I always just assumed all the distros I use have backdoors as a fact of life. I take comfort in not being a person of interest to anyone and just blend in with the crowd. I also don't use windows because for every backdoor my Debian may have, windows will have 100 more. Servers don't get hacked all the time because it is not linux->internet, it is linux->bunch of stuff->internet, but I am sure backdoors are there.
-1
Your Debian stable system is so ancient you got bigger vulnerabilities to worry about: Panik!
Also the problem was that Debian's sshd linked to liblzma for some systemd feature to work. This mod was done by Debian team.
79Liblzma balls
116But do it in private, don't let my xz.
24
Even if you're using debian 12 bookworm and are fully up to date, you're still running [5.4.1].
The only debian version actually shipping the vulnerable version of the package was sid, and being a canary for this kind of thing is what sid is for, which it's users know perfectly well.
35The linked version in stable was not impacted.
29What do you mean bigger vulnerabilitirs to worry about in Debian stable?
11
The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.
“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
That really sucks. This kind of thing can make people and companies lose trust in open source. I wonder if we will learn the reason behind that. I would guess the developer was paid a lot of money by some organization to risk ruining his reputation like that.
50Like the exact same thing can not happen in a closed source codebase. It probably does daily. Since closed codebases the due dilligence and reviews cost money, and nobody can see the state. They are intentionally neglected.
Open source nor closed source is immune to the 5$ wrench hack52Can't decide which one is more relevant - the $5 wrench hack, or any sort of blackmailing.
25Exactly, if you are as big a Microsoft, you can't tell 100% if one of your developer's is actually being paid by a foreign government. Even if you say completely check the commits other devs make, there will still be deadlines when a code review is just "looks fine, next".
8
No, its the exact opposite.
Supply chain conpromise is a level of risk to manage not unique to FOSS. Ever heard of sunburst? It resulted in a lot of Microsofts cloud customers getting wreaked all because their supply chain was compromised.
Do people continue to buy into 365 and Azure? Yes. Without care.
So will this hurt open source projects? Not at all, in fact it will benefit them, highlight just why source code SHOULD be open source and visible to all! We would have had very little to no visibility and capability to monitor closed source. Let alone learn, improve and harden how projects can protect against this increasingly more common attack.
48
Still paniking, cause the backdoor was apparently targetting Debian servers, it was discovered just by chance and the "mantainer" made commits for 2 years in the same repo
49The fact that this was planned is what makes me nervous. Imagine what else is lurking.
11and it was only discovered accidentally, when someone was profiling some stuff, noticed SSH using a bit too much CPU power when receiving connections even for invalid usernames/passwords, and spent the time to investigate it more deeply. A lot of developers aren't that attentive, and it could have easily snuck through.
28
That's basically the idea of having a stable branch. Where all packages have 2+ years of testing and revisions.
37They are stagnant. They keep getting security/fix patches, just not new features.
2
The slowness is on purpose.
(OP may know, but I don't know if everyone does.)
Edit: /u/getaway@lemmynsfw.com is picking up what I was putting down.
31The slowness is on purpose? To help identify the sshd in question to the attacker which nodes are compromised? What reason(s) could there be?
0If the above decides to continue, the code appears to be parsing the symbol tables in memory. This is the quite slow step that made me look into the issue.
That is from the original find. Not sure the relevance of it and this being proof for it being "on purpose". But that is the origin of the slowness.
2
Maybe Manjaro should delay update even longer to make it extra secure /s
22Ngl manjaro beeing slow as saved my ass more than once
8I recently ran into a bug in the latest version of cmake that breaks it completely in my system, can't compile shit and it just does a coredump.
What is worse is that I can't even report the bug because I can't get the registration email from the cmake gitlab. I checked the manjaro repos and their cmake version is 2 versions older than the one that has the bug that left me thinking for a while lol.
2
In this case the slower updates payed off. There are many things wrong with Manjaro but slower updates is not one of them.
1Panik: manjaro switched to regular arch repos on the very first update, p.s happened to me few years ago
1
How about you just use any stable system. For instance, stable Fedora wasn't affected
18This was the slow process for my hungover brain today.
2
