Received: from gapmx.vk4msl.com (gapmx.vk4msl.com [IPv6:2001:44b8:21ac:70f8::8]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 166DE225970 for <~alpine/users@lists.alpinelinux.org>; Sat, 30 Mar 2024 10:15:58 +0000 (UTC) Received: from gapmx.vk4msl.com (gapmx.vk4msl.com [127.0.0.1]) by gapmx.vk4msl.com (Postfix) with ESMTP id 0EA29165C9; Sat, 30 Mar 2024 20:15:49 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=vk4msl.com; h=message-id :date:mime-version:subject:to:references:from:in-reply-to :content-type:content-transfer-encoding; s=gapmx; bh=an1LL7WiS5g yAxFXwdU9aG1fa6Y=; b=BGRVYNsHKMdC/aMLbAwUbIOlD+HtoIiTshAvUQeuhG0 A6mwZDFAKOjIerMh6myscSpQ+kGZ54XKqNK17y2R+JOIlFYLBW50YYiCxX0ryWi5 N12prYfuTU3vn2s/0cyQ4I0LyWcGewmex0pOMgH2+c5SaTb9LbtacsQJlpQiLSQd y/tOTO30KMeF8T2zPvBPhnPBWPtEiFqe2Edh+3YPvFHdoxpLpb8Ockft5HABi1cT vLxSEjbKTQghfm10fSaA2X9hblySS3SLIxrxR/ugOmJlTLsqV0rV9QTHgYyqYMEx 4cQ24CVwtshr/J21Lqc5M8k+rRJ2NEoSj1uVAqvxCqLaCt/sDMA9bY2LINwkF5h+ zRBRdWdQfU3RwHm38AWQJzK682L2sDNxTBn0AwJcJUDQuP9WxbIOZFjXVdHXVI0H 8Uy89nVYYGTrhdwZoSHKLz1Xch56eH7AEJUj1cTCFNPWjcxc3gI0UcgPkFjpSU0C SphRoShCYHbytG4QBnPDgabQdsk7gvSkELMMrHG3/MqWg0hdCrPL6jEdnxCNYKRQ zYlpEQpcHDcgrasCJKeO6f2Kc4lClguJ6VyoYL5T6A6vKVxs1z/alGvMgHCEO+9f 0BIy8l1Xtd+BIHuVV3FzLD38EEa/unZKARWu6D82QwLEQ/NcU06Gt+1KADAp9VIE = DomainKey-Signature: a=rsa-sha1; c=nofws; d=vk4msl.com; h=message-id :date:mime-version:subject:to:references:from:in-reply-to :content-type:content-transfer-encoding; q=dns; s=gapmx; b=aHTyv 9TUzTrcXRvIu0lXY62WQEFJ5UAkVvFenqIBRgvqPIl+PwkQOrDuKUPtfqDPkdM7F 6xE6zCCpWMwdQ+qYmRUSm7RlP88hfJdkY8bs2UO3OZUQOpZkGDgyltLGFpuj8JlV 3M/jLix6keX9YaK69tsIGbFHE5Ctpmav9ZSck4Hq8ZXC0rrTLP8FWdbby2pD6T5d ITnHPZylXQrSXghxnIHgzXJGTlrDkWaByn2eyXp0mSWT4+t/VlAFYahU3k9cGT5S sUJA0y81wVhfqIuezHrozK75QhUbBQ59nmIY/qAR7zb9+HqReHkcz5vX5cUf1pFh PNTSfKq/zfq5HHdw1B3IWCIymqnW0zcnyz2/H2X8vtB2thIs7wSzNcX/P5DAvnXW UgxFamYuAIJo26+KLxZdKmubHlqe2hwy6Su7+JMdhaqj8bYZLXnMzKwmXgh7GnG7 LUJ3uq6hE51qlnVbck3EQ6TENQf+PxQjhFVfgBQKTYgNqznV68mzd1rUCkfJGjZk qPRUo42rQW3fLG4y8aMeyxAHZi4yHa6xClPWpmaqQfmo+xcMry4t7oAIcdhQlolA TemVxFvCoawgtfsd0rBDAgW2h+Gypqo73XpVpBz65wJ+if+lyU0TK5+cmgnJWuFZ sI1OgZNklNUc48fnYINqkBXCmTRuGCfLRqqnAQ= Received: from [192.168.1.191] (unknown [1.128.163.243]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by gapmx.vk4msl.com (Postfix) with ESMTPSA id 20F5B165C8; Sat, 30 Mar 2024 20:15:34 +1000 (AEST) Message-ID: <974c079f-8e90-495c-a9f8-c266eb458f09@vk4msl.com> Date: Sat, 30 Mar 2024 20:15:32 +1000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: XZ force downgrade led to removal of many packages To: Mike Lodispoto , ~alpine/users@lists.alpinelinux.org References: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com> Content-Language: en-AU From: Stuart Longland VK4MSL In-Reply-To: <1c614505-92f2-42b4-ba46-b227777e0d5b@lodispoto.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 30/3/24 15:16, Mike Lodispoto wrote: > I was attempting to downgrade XZ because of the SSH backdoor in it. While I definitely wouldn't recommend installing the later xz libraries at this time, looks like the "damage" has been done as there are likely packages that depend on _that_ version of the xz libs. Gentoo issued this statement today: > Impact > > Our current understanding of the backdoor is that is does not affect > Gentoo systems, because 1. the backdoor only appears to be included > on specific systems and Gentoo does not qualify; 2. the backdoor as > it is currently understood targets OpenSSH patched to work with > systemd-notify support. Gentoo does not suppoxzrt or include these > patches; Analysis is still ongoing, however, and additional vectors > may still be identified. For this reason we are still issuing this > advisory as if that will be the case. -- https://glsa.gentoo.org/glsa/202403-04 Now, AlpineLinux, like Gentoo… - uses OpenRC (Gentoo *can* use systemd, but the default is OpenRC) - does not use RPM or DEB packages - likely will not be patching OpenSSH to support systemd-notify since the latter is not present I think in the coming days, there will be an audit done on the `xz` library and out of that, we should see a release that corrects the issues identified. Let's hold tight on this one. AlpineLinux 3.19 ships with xz 5.4.5. It's only "edge" that's affected. Not sure if there is an issue raised on this, I tried searching, but when I put "xz" in the search box and click search, gitlab just sits there and looks at me stupid -- apparently keyword searching on a bug title is not in its feature set. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.