Closed TanvirOnGH closed 3 months ago
NixOS reportedly not affected see discussion in https://matrix.to/#/#security-discuss:nixos.org
If you have a paranoid setup then consider: https://github.com/Kreyren/nixos-config/commit/3094dcaff60d3ac432a5a2ca76eb535d97d4c2bc
UPDATE: NixOS is reverting xz 5.4.6 -> 5.6.1 https://github.com/NixOS/nixpkgs/pull/300028 as they can't rule out that it's not affected
libarchive also considered affected: https://github.com/libarchive/libarchive/commits?author=JiaT75
Might be useful: https://github.com/DarkKirb/nixos-config/pull/381/files
Anthony Weems have been reverse engineering the xz backdoor this weekend and have documented the payload format and written a proof-of-concept exploit for the RCE. The payloads are signed with an ED448 key, so he patched his own key into the backdoor for testing.
Description
Backdoor in upstream xz/liblzma leading to ssh server compromise.
Info
CVE: CVE-2024-3094 Type: Backdoor Affects: xz-5.6.x Scope: openssh having a linked libsystemd
Solution/Mitigation
Do not use any of the affected versions of xz (
xz-5.6.x
).References