*hacker voice* I'm In, the XZ Fiasco

Permalink

Follow me via:

---

Text-to-speech support required

As some who visit this blog, and also my Patreon, may know, for the past month or so, I've gone headfirst completely into Linux leaving Windows in the dust like the roadrunner escaping the coyote. This was largely due-in-part to Microsoft's forced "artificial intelligence" injections into every single piece of its software (and possible subscription requirements in future versions of Windows).

Since then, I've learned quite a few different things. I already had some experience, as I've launched Debian instances on Digital Ocean in the past for hosting Mastodon instances, and I currently run this website on Debian 12.

With that in mind, I can't say that I fully understand what's going on with XZ today, aside from the fact that a backdoor was injected a little while ago (without anyone noticing until today) through ... what I believe to be a Github commit?

This is a huge security risk, as I believe it gives a hijacker open access to an SSH pipeline on a system (correct me in the comments if I'm wrong, I'm still learning a lot of things). Needless to say, I checked updates and versions of XZ on both my Pop!_OS system and my Debian 12 laptop faster than you can say, "Oh farts, I've lost my juice!"

But, you actually don't really need to worry all that much, unless you're running pre-release versions of most distributions, as detailed here via openwall.com.

That doesn't mean it's not something you should worry about, if you're outside of that scope of instances. In fact, if I were you, I'd open a terminal and check your XZ version, just to be sure.

The versions you DON'T want, are versions 5.6.0 or 5.6.1, and you can check this by running xz --version in the terminal. My guess is that most won't have these versions, but if you do, run your updates!

This has been an exciting update brought to you by Me, in the world of Linux. Stay tuned for, I mean, hopefully less posts about sudden backdoors in Linux software!