Truth about xz backdoor on linux

Started by Ghost Member, May 09, 2024, 05:23:24 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ghost Member

I see Windows fanboy(linux hater ones) try to use this incident and slur Linux again that they're vulnerable as windows. That's BS. Here's the truth.

1. All these times It's fake xz-utils source code 5.6.0, 5.6.1 version.

The Debian package maintainer mistook this for latest source code and make package host on Debian Unstable & Testing repository and found out later it's contain backdoor code which can affect otheer Xz archives like tar.xz files but it's not gonna affect tar.bz2, tar.gz just tar.xz

2. Real official version is 5.4.6
https://sourceforge.net/projects/lzmautils/files/
and the Culprit is: https://github.com/JiaT75
As original Xz dev state https://tukaani.org/xz-backdoor/

3. it's already been fixed on Debian and rename as "5.6.1+really5.4.5-1" so this flaw is fixed no more backdoor.
https://packages.debian.org/search?keywords=xz-utils

Hālian He/him

I think you're putting too much stock in Linux antis and what they have to say. Regardless, it's good to point this out for people who may not have known.

(Would like to know what the current situation is for other distros, though, for completeness' sake.)

Ghost Member

#2
I take back my word Brian's change attitude start to make Linux video already he fed up with W11 copilot recall function as many windows users rage at. So I'm back to respect him being neutral.

On the other hand I'll keep this xz incident as history truth. But xz is only previously affect Debian testing & Sid channel not other distros & they package maintainers already fixed that. So this incident isn't virus spreading but backdoor code in fake xz 5.6.1 version spreading to xz archives to affect packages that package maintainer making it.