Jump to content

Mar 29 2024 - xz/liblzma potential compromise

jonfive

By jonfive
in Security

Recommended Posts

dopeytree Collaborator

dopeytree

Posted
Posted (edited)

I found it easier to just open each containers console and paste

  

xz --version

 

The result was the newer compromised XY version had only been used in Binhex apps.

So I stopped those running & may swap to linuxServer containers? What are others choosing?

Probably all irrelevant anyway as not running an SSH server.

 

Edited by dopeytree
Link to comment
Terebi Apprentice

Terebi

Posted
Posted
11 hours ago, dopeytree said:

I found it easier to just open each containers console and paste

  

xz --version

 

The result was the newer compromised XY version had only been used in Binhex apps.

So I stopped those running & may swap to linuxServer containers? What are others choosing?

Probably all irrelevant anyway as not running an SSH server.

 

 

The binhex apps run arch, and do not have SSH running, so are not exploitable even if you have the bad versions. . Just wait for the next version of the binhex images to come out. 

  • Thanks 1
  • Upvote 1
Link to comment
ullibelgie Contributor

ullibelgie

Posted
Posted

@iXNyNe

the latest build of Digikam of Linuxserver.io is also infected with XZ utils version 5.6.1

 

How can we inform Linuxserver.io community ? If there is someone who knows how to reach them to  drop a note the development team would be appreciated...

In the meantime I better keep this docker blocked on my server

 

 

Link to comment
iXNyNe Apprentice

iXNyNe

Posted
Posted
44 minutes ago, ullibelgie said:

@iXNyNe

the latest build of Digikam of Linuxserver.io is also infected with XZ utils version 5.6.1

 

How can we inform Linuxserver.io community ? If there is someone who knows how to reach them to  drop a note the development team would be appreciated...

In the meantime I better keep this docker blocked on my server

 

 

The version of xz in our latest release of digikam (and our kasm arch base image) is 5.6.1-3 which has been patched according to https://security.archlinux.org/AVG-2851

  • Upvote 1
Link to comment
dopeytree Collaborator

dopeytree

Posted
Posted
17 hours ago, ullibelgie said:

@iXNyNe

the latest build of Digikam of Linuxserver.io is also infected with XZ utils version 5.6.1

 

How can we inform Linuxserver.io community ? If there is someone who knows how to reach them to  drop a note the development team would be appreciated...

In the meantime I better keep this docker blocked on my server

 

 

 

https://github.com/linuxserver/docker-digikam/issues/new/choose

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...