xz backdoor upstream

7 replies [Last post]
Luck-02
Offline
Joined: 01/11/2022

Was the trisquel affected by this backdoor?
https://www.openwall.com/lists/oss-security/2024/03/29/4

Ark74

I am a member!

I am a translator!

Offline
Joined: 07/15/2009

NO, it is not.

No version of Trisquel is affected.

Regards.

Malsasa
Offline
Joined: 12/01/2016

Thank you for your quick clarification, Ark. I'm glad Trisquel is not
affected.

Best regards,

Malsasa

PublicLewdness
Offline
Joined: 03/15/2020

"NO, it is not.

No version of Trisquel is affected.

Regards."

Is this because Trisquel uses an older version of the library before the backdoor ? I heard that was what saved Debian Stable.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Yes, Trisquel 9, 10 and 11 respectively ship versions 5.2.2, 5.2.4 and 5.2.5: https://packages.trisquel.org/liblzma5

The affected versions are 5.6.0 and 5.6.1.

Avron

I am a translator!

Offline
Joined: 08/18/2020

In addition, the archive of xz 5.2.5 was made in 2020, while the person responsible for the backdoor only started participating in 2021, so if that person introduced any other problematic code, it is anyway not in any version of Trisquel.

Other_Cody
Offline
Joined: 12/20/2023

Thank you, Luck-02, and everyone else, for the information about this problem.

I just checked some CVE websites and saw

https://github.com/CVEProject/cvelistV5

You can

git clone https://github.com/CVEProject/cvelistV5

and also may see more security reports.

I'm glad Trisquel, and likely most "Free as in freedom" Gnu/Linux or other freedom supporting software sites/developers do not just pull and/or use the latest "updates" as those "updates" may not always be nice.

Though with freedom supporting software anyone does not need to just accept any update, or any code that that person does not like. And has the freedom to change the code as well.

I remember at least 4 freedoms shown at https://www.gnu.org/philosophy/free-sw.html

Luck-02
Offline
Joined: 01/11/2022

More information about the xz project here https://tukaani.org/