• adr1an
    link
    fedilink
    08 months ago

    A nice tl;dr was https://news.ycombinator.com/item?id=39866307

    Copied here:

    For those panicking, here are some key things to look for, based on the writeup:

    • A very recent version of liblzma5 - 5.6.0 or 5.6.1. This was added in the last month or so. If you’re not on a rolling release distro, your version is probably older.

    • A debian or RPM based distro of Linux on x86_64. In an apparent attempt to make reverse engineering harder, it does not seem to apply when built outside of deb or rpm packaging. It is also specific to Linux.

    • Running OpenSSH sshd from systemd. OpenSSH as patched by some distros only pulls in libsystemd for logging functionality, which pulls in the compromised liblzma5.

    Debian testing already has a version called ‘5.6.1+really5.4.5-1’ that is really an older version 5.4, repackaged with a newer version to convince apt that it is in fact an upgrade.

    It is possible there are other flaws or backdoors in liblzma5, though.