Opened 9 months ago

Closed 9 months ago

Last modified 9 months ago

#18872 closed bug (invalid)

URGENT ? Revert to xz 5.4x (backdoor in 5.6)

Reported by: slema Owned by: axeld
Priority: critical Milestone: Unscheduled
Component: Servers/net_server Version: R1/Development
Keywords: ssh xz Cc:
Blocked By: Blocking:
Platform: All

Description

Am I right to believe the xz backdoor would affect Haiku too ? Not that anyone is crazy enough to have an open SSH server on Haiku current at this moment but it's a good idea to revert to 5.4x like all other linux / bsd / mac systems just did.

At the time ot this writing current shows 5.61 xz --version

Which is in the list of affected ersion.

https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils

Change History (2)

comment:1 by waddlesplash, 9 months ago

Resolution: invalid
Status: newclosed

We already switched to a 5.6.1 from the Git repository instead of the source tarball. The backdoor would not have affected us anyway as we (1) are not Linux, (2) do not use glibc's runtime linker, (3) don't use glibc ifuncs.

Ultimately the question of whether to revert back to 5.4.x is still an open one. I don't know that a decision has been reached about that yet. But this ticket would belong at HaikuPorts anyway, I think.

comment:2 by jmairboeck, 9 months ago

There is a little concern to Haiku itself too, because the "vulnerable" version is currently used in the riscv64 build packages. But as the backdoor only targets x86_64 Linux, this isn't really an issue too.

Note: See TracTickets for help on using tickets.