xz backdoor upstream

7 Antworten [Letzter Beitrag]
Luck-02
Offline
Beigetreten: 01/11/2022

Was the trisquel affected by this backdoor?
https://www.openwall.com/lists/oss-security/2024/03/29/4

Ark74

I am a member!

I am a translator!

Offline
Beigetreten: 07/15/2009

NO, it is not.

No version of Trisquel is affected.

Regards.

Malsasa
Offline
Beigetreten: 12/01/2016

Thank you for your quick clarification, Ark. I'm glad Trisquel is not
affected.

Best regards,

Malsasa

PublicLewdness
Offline
Beigetreten: 03/15/2020

"NO, it is not.

No version of Trisquel is affected.

Regards."

Is this because Trisquel uses an older version of the library before the backdoor ? I heard that was what saved Debian Stable.

Magic Banana

I am a member!

I am a translator!

Offline
Beigetreten: 07/24/2010

Yes, Trisquel 9, 10 and 11 respectively ship versions 5.2.2, 5.2.4 and 5.2.5: https://packages.trisquel.org/liblzma5

The affected versions are 5.6.0 and 5.6.1.

Avron

I am a translator!

Offline
Beigetreten: 08/18/2020

In addition, the archive of xz 5.2.5 was made in 2020, while the person responsible for the backdoor only started participating in 2021, so if that person introduced any other problematic code, it is anyway not in any version of Trisquel.

Other_Cody
Offline
Beigetreten: 12/20/2023

Thank you, Luck-02, and everyone else, for the information about this problem.

I just checked some CVE websites and saw

https://github.com/CVEProject/cvelistV5

You can

git clone https://github.com/CVEProject/cvelistV5

and also may see more security reports.

I'm glad Trisquel, and likely most "Free as in freedom" Gnu/Linux or other freedom supporting software sites/developers do not just pull and/or use the latest "updates" as those "updates" may not always be nice.

Though with freedom supporting software anyone does not need to just accept any update, or any code that that person does not like. And has the freedom to change the code as well.

I remember at least 4 freedoms shown at https://www.gnu.org/philosophy/free-sw.html

Luck-02
Offline
Beigetreten: 01/11/2022

More information about the xz project here https://tukaani.org/