Jump to content

Mar 29 2024 - xz/liblzma potential compromise


Recommended Posts

Posted (edited)

I found it easier to just open each containers console and paste

 

xz --version

 

The result was the newer compromised XY version had only been used in Binhex apps.

So I stopped those running & may swap to linuxServer containers? What are others choosing?

Probably all irrelevant anyway as not running an SSH server.

 

Edited by dopeytree
Posted
11 hours ago, dopeytree said:

I found it easier to just open each containers console and paste

 

xz --version

 

The result was the newer compromised XY version had only been used in Binhex apps.

So I stopped those running & may swap to linuxServer containers? What are others choosing?

Probably all irrelevant anyway as not running an SSH server.

 

 

The binhex apps run arch, and do not have SSH running, so are not exploitable even if you have the bad versions. . Just wait for the next version of the binhex images to come out. 

  • Thanks 1
  • Upvote 1
Posted

@iXNyNe

the latest build of Digikam of Linuxserver.io is also infected with XZ utils version 5.6.1

 

How can we inform Linuxserver.io community ? If there is someone who knows how to reach them to  drop a note the development team would be appreciated...

In the meantime I better keep this docker blocked on my server

 

 

Posted
44 minutes ago, ullibelgie said:

@iXNyNe

the latest build of Digikam of Linuxserver.io is also infected with XZ utils version 5.6.1

 

How can we inform Linuxserver.io community ? If there is someone who knows how to reach them to  drop a note the development team would be appreciated...

In the meantime I better keep this docker blocked on my server

 

 

The version of xz in our latest release of digikam (and our kasm arch base image) is 5.6.1-3 which has been patched according to https://security.archlinux.org/AVG-2851

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...