#18872 closed bug (invalid)
URGENT ? Revert to xz 5.4x (backdoor in 5.6)
Reported by: | slema | Owned by: | axeld |
---|---|---|---|
Priority: | critical | Milestone: | Unscheduled |
Component: | Servers/net_server | Version: | R1/Development |
Keywords: | ssh xz | Cc: | |
Blocked By: | Blocking: | ||
Platform: | All |
Description
Am I right to believe the xz backdoor would affect Haiku too ? Not that anyone is crazy enough to have an open SSH server on Haiku current at this moment but it's a good idea to revert to 5.4x like all other linux / bsd / mac systems just did.
At the time ot this writing current shows 5.61 xz --version
Which is in the list of affected ersion.
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
Change History (2)
comment:1 by , 9 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 9 months ago
There is a little concern to Haiku itself too, because the "vulnerable" version is currently used in the riscv64 build packages. But as the backdoor only targets x86_64 Linux, this isn't really an issue too.
We already switched to a 5.6.1 from the Git repository instead of the source tarball. The backdoor would not have affected us anyway as we (1) are not Linux, (2) do not use glibc's runtime linker, (3) don't use glibc ifuncs.
Ultimately the question of whether to revert back to 5.4.x is still an open one. I don't know that a decision has been reached about that yet. But this ticket would belong at HaikuPorts anyway, I think.