xz backdoor upstream
- Anmelden oder Registrieren um Kommentare zu schreiben
Was the trisquel affected by this backdoor?
https://www.openwall.com/lists/oss-security/2024/03/29/4
NO, it is not.
No version of Trisquel is affected.
Regards.
Thank you for your quick clarification, Ark. I'm glad Trisquel is not
affected.
Best regards,
Malsasa
"NO, it is not.
No version of Trisquel is affected.
Regards."
Is this because Trisquel uses an older version of the library before the backdoor ? I heard that was what saved Debian Stable.
Yes, Trisquel 9, 10 and 11 respectively ship versions 5.2.2, 5.2.4 and 5.2.5: https://packages.trisquel.org/liblzma5
The affected versions are 5.6.0 and 5.6.1.
In addition, the archive of xz 5.2.5 was made in 2020, while the person responsible for the backdoor only started participating in 2021, so if that person introduced any other problematic code, it is anyway not in any version of Trisquel.
Thank you, Luck-02, and everyone else, for the information about this problem.
I just checked some CVE websites and saw
https://github.com/CVEProject/cvelistV5
You can
git clone https://github.com/CVEProject/cvelistV5
and also may see more security reports.
I'm glad Trisquel, and likely most "Free as in freedom" Gnu/Linux or other freedom supporting software sites/developers do not just pull and/or use the latest "updates" as those "updates" may not always be nice.
Though with freedom supporting software anyone does not need to just accept any update, or any code that that person does not like. And has the freedom to change the code as well.
I remember at least 4 freedoms shown at https://www.gnu.org/philosophy/free-sw.html
More information about the xz project here https://tukaani.org/
- Anmelden oder Registrieren um Kommentare zu schreiben