Never had the backdoored packages:
>Ubuntu
>Debian
>Fedora
Had the backdoored packages but weren't vulnerable due to configuration:
>Arch Linux
https://archlinux.org/news/the-xz-package-has-been-backdoored/
>Gentoo
https://security.gentoo.org/glsa/202403-04
Had the backdoored packages AND was vulnerable to the backdoor:
>openSUSE Tumbleweed
https://news.opensuse.org/2024/03/29/xz-backdoor/
Stop using Tumbleweed.
No, Debian Sid is not a real distro.
>leaving SSH wide open to the entire internet
shiggy
Sometimes I just want to use my home computer's files and power when I'm out.
then use a VPN
I never had sshd running in the first place. No ports forwarded either.
FOSS wins again
>iTT a bunch of self important dorks celebrating their home pc wasn't vulnerable
You weren't the target. It was obviously meant for webservers. No one cares about your troony porn collection
Wrong. China is after me.
A China Man tonguing my anus in a vertical take off jet just flew over my house!
no it are not aftel you
Web servers don't run bleeding edge testing software. If anything it was aimed at Arch users.
It probably was meant to get in new LTS releases, therefore in new server installs.
This was a long term play, imagine several years down the line where it's everywhere and suddenly the state actor can access any server with ssh
It hasn't even made it into beta so the whole plan was just bad.
it made it into fedora beta+rawhide, debian testing+unstable+experimental, opensuse tumbleweed and microos
it was three or four weeks away from shipping on fedora
plenty of dev machines and testing environments got hit through debian and opensuse, though it was still at least a year away from shipping on any production distro
It would have gotten to the stable distros if it didn't cause noticeable latency with sshd. The plan was effective, the code was bad.
>openSUSE Tumbleweed
>[b]leading edge
>stable
Heh.
Bots could be used to mass attack any vulnerable machines.
it truly is amazing to me that tw is the absolute one that got raped by this. The only other distros that were affected were test distros, which is not what tumbleweed is, and the distros that were targeted were not even harmed.
this is why I drink.
I don't think it's that odd. The two biggest rolling release distros both had the malicious code. Arch just wasn't affected because the backdoor wasn't built to target it. But the package was there for weeks, and nobody noticed.
I was a tumbleweed user, had SSH disabled entirely, but this whole thing has me a bit hesitant to use bleeding-edge distros for now. I moved back to Fedora.
you think FEDora is any better?
Debian and Fedora did had the vulnerable packages, Debian had them on everything but stable, Fedora on Fedora 40 beta and Fedora Rawhide, all of them with vulnerable builds
If it hadn't been discovered before april 16~ it would had been shipped with Fedora 40, little bit more than half a month
Red Hat people were the ones helping Jin Tan fix valgrind errors to allow the package in
could have migrated to slowroll, which wasn't affected
They should make that the main openSUSE distro. Just remove "slow" from the name as it makes it sound moronic, use a more symbolic name like Leap and Tumbleweed do.
There's probably computers being raped right now from similar undiscovered vulnerabilities. It seems unlikely to me that this is the first time something so sophisticated was tried only to be discovered by dumb luck
The real story should not be to stop using Tumbleweed but for distros to stop unnecessarily patching packages.
That's what served as the vector for infection here. Fedora and Ubuntu/Debian got lucky.
Upstream OpenSSH is now looking into adding their own Systemd-notify implementation instead of the idiots that wrote the patch that all of the distros are currently using.
This version had it existed beforehand would not have allowed for this attack to take place.
>Another words, if the distros did not patch OpenSSH and used it in their stock configuration then this attack would have been much harder to pull off.
All the tumbleweed shills on this board must feel pretty fricking moronic right now.
Fedora is still on top. Exploit never made it into the stable release and barely made it into the beta release.
My fedora 39 install never even got close to having this backdoor. Meanwhile Tumbleweed cucks were having all their shit leaked to China.
Unless they used Leap of course.
If you used Rawhide you'd have had this issue too.
You know that suse has a stable release, right? That release was not impacted. I don't think anyone shills tumbleweed
People do shill it, but for desktop use. If you're using a rolling release on your server then you deserve everything you get.
look let's not mince words. when people recommend or talk about opensuse they mean tumbleweed. Even Suse is doing away with leap which honestly I think they should reconsider at this point if they want to survive at all.
I shill Tumbleweed but only for desktop not servers
>Debian Sid is not a real distro
story time
>bee mee
>a moron
>use debian sid for le bleeding edge packages
>have a pocket chip
>want to reflash it
>apt install fastboot
>run fastboot
>the maintainer for android-tools couldnt be bothered so he put an simple bash script that said 'IOU" instead of fastboot
>look through mailing lists, only see a few words here and there about this
>install old version through apt versioning, get my stuff done
>wipe system go back to stable
Debian sid isnt a real distro, its literally a maintainer's playground and you deserve nothing good if your system breaks while using debian sid
>>the maintainer for android-tools couldnt be bothered so he put an simple bash script that said 'IOU" instead of fastboot
LOL
>haven't updated my Linux since 2020
>mfw I'm safe from downloading any new meme vulnerabilities
Hehe, updooters BTFO.
it was fedora rawhide, suse and kali
I stopped using suse because of other issues just before it happened, but switched to fedora 40, so probably was still effected, kek.
It was actually available on Debian Testing, which a lot of people use on their personal machine to mimic Arch.
Also, it was exclusively targeting Debian and Fedora.