Email or username:

Password:

Forgot your password?
Xe :verified:

liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise

xeiaso.net/notes/2024/xz-vuln/

1 comment
rugk [7845]

Kinda important side-fact on the #xz story:

The #xz fiasco could have been prevented if #openssh just included/implemented systemd-notify as a simple protocol, which apparently would have been easy…

Instead, distros all implemented the patch to include a dependency which eventually included xz…

See github.com/openssh/openssh-por

That said, *of course*, the attacker could have found other packages/ways/deps to include the malicious package/code, but still sad to read…

@cadey @AndresFreundTec

Kinda important side-fact on the #xz story:

The #xz fiasco could have been prevented if #openssh just included/implemented systemd-notify as a simple protocol, which apparently would have been easy…

Instead, distros all implemented the patch to include a dependency which eventually included xz…

See github.com/openssh/openssh-por

Go Up