Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 2F761225804 for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 12:25:19 +0000 (UTC) Date: Sat, 30 Mar 2024 13:25:12 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=selfisekai.rocks; s=key1; t=1711801517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ug2iKuzd5JqVfipM37LAkoXgsGNM0FRFiwcqvoiitkE=; b=NKmNFq7zAJiRUlxNiZVDpwsiovo9/5A97r/mex4Hs5nrYE1LNvrWR+kjikZnqdw+Yl7QEc yxh6Dio4VR8SdE9m1YsFwA96eV2dWVVvkSfnzUgJUXNnJS3tZf1AhmqmrM4zf8ylWBjovf e0EgVBMkuDZ9B9GB8eMj4bIsswRpQihIaxaRjd/As8q5BqgFhEdCWr9u7FIWTTGNJ/7Zi/ l2yNfNcKP9bjFJ7/weKIlXsxIHtJ6Ix+83JUMk1q51J/+FSvl8lAfV8FGkw5s+PudpvBHf senFyrkfBroummsiwRqekdC3Fl6irirj/AumUaVg9MsFQG7EfywGdb7NUn+xyg== X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "lauren n. liberda" To: ~alpine/users@lists.alpinelinux.org Subject: Re: XZ force downgrade led to removal of many packages In-Reply-To: <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com> <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> Message-ID: <1B02E076-6184-452D-8AE8-74C28E925514@selfisekai.rocks> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----FFN4O2M89IMBYTP8VHJUTZUNGLFXRA Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT ------FFN4O2M89IMBYTP8VHJUTZUNGLFXRA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable not noted: the backdoor also required glibc, which alpine famously doesn't = use On 30 March 2024 11:15:32=E2=80=AFam GMT+01:00, Stuart Longland VK4MSL wrote: >On 30/3/24 15:16, Mike Lodispoto wrote: >> I was attempting to downgrade XZ because of the SSH backdoor in it=2E > >While I definitely wouldn't recommend installing the later xz libraries >at this time, looks like the "damage" has been done as there are likely >packages that depend on _that_ version of the xz libs=2E > >Gentoo issued this statement today: >> Impact >>=20 >> Our current understanding of the backdoor is that is does not affect >> Gentoo systems, because 1=2E the backdoor only appears to be included >> on specific systems and Gentoo does not qualify; 2=2E the backdoor as >> it is currently understood targets OpenSSH patched to work with >> systemd-notify support=2E Gentoo does not suppoxzrt or include these >> patches; Analysis is still ongoing, however, and additional vectors >> may still be identified=2E For this reason we are still issuing this >> advisory as if that will be the case=2E >-- https://glsa=2Egentoo=2Eorg/glsa/202403-04 > >Now, AlpineLinux, like Gentoo=E2=80=A6 > >- uses OpenRC (Gentoo *can* use systemd, but the default is OpenRC) >- does not use RPM or DEB packages >- likely will not be patching OpenSSH to support systemd-notify since the= latter is not present > >I think in the coming days, there will be an audit done on the `xz` libra= ry and out of that, we should see a release that corrects the issues identi= fied=2E > >Let's hold tight on this one=2E > >AlpineLinux 3=2E19 ships with xz 5=2E4=2E5=2E It's only "edge" that's af= fected=2E Not sure if there is an issue raised on this, I tried searching,= but when I put "xz" in the search box and click search, gitlab just sits t= here and looks at me stupid -- apparently keyword searching on a bug title = is not in its feature set=2E >--=20 >Stuart Longland (aka Redhatter, VK4MSL) > >I haven't lost my mind=2E=2E=2E > =2E=2E=2Eit's backed up on a tape somewhere=2E > ------FFN4O2M89IMBYTP8VHJUTZUNGLFXRA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

not noted: the backdoor also req= uired glibc, which alpine famously doesn't use

On 30 March 2024 11:15:32=E2=80=AFam GMT+01:0= 0, Stuart Longland VK4MSL <me@vk4msl=2Ecom> wrote:

On 30/3/24 15:16, Mike Lodispoto w=
rote:
I was attempting to downgrade XZ because of the SSH backdoor in it=
=2E

While I definitely wouldn't=
 recommend installing the later xz libraries
at this time, looks like th=
e "damage" has been done as there are likely
packages that depend on _th=
at_ version of the xz libs=2E

Gentoo issued this statement today:
I=
mpact

Our current understanding of the backdoor is that is does not =
affect
Gentoo systems, because 1=2E the backdoor only appears to be incl=
uded
on specific systems and Gentoo does not qualify; 2=2E the backdoor =
as
it is currently understood targets OpenSSH patched to work with
sy=
stemd-notify support=2E Gentoo does not suppoxzrt or include these
patch=
es; Analysis is still ongoing, however, and additional vectors
may still=
 be identified=2E For this reason we are still issuing this
advisory as =
if that will be the case=2E
-- https://glsa=2Egentoo=2E=
org/glsa/202403-04

Now, AlpineLinux, like Gentoo=E2=80=A6
- uses OpenRC (Gentoo *can* use systemd, but the default is OpenRC)
- d=
oes not use RPM or DEB packages
- likely will not be patching OpenSSH to=
 support systemd-notify since the latter is not present

I think in t=
he coming days, there will be an audit done on the `xz` library and out of =
that, we should see a release that corrects the issues identified=2E
Let's hold tight on this one=2E

AlpineLinux 3=2E19 ships with xz 5=
=2E4=2E5=2E  It's only "edge" that's affected=2E  Not sure if there is an i=
ssue raised on this, I tried searching, but when I put "xz" in the search b=
ox and click search, gitlab just sits there and looks at me stupid -- appar=
ently keyword searching on a bug title is not in its feature set=2E

------FFN4O2M89IMBYTP8VHJUTZUNGLFXRA--