So now that we all understand that thanklessly relying on free work of overworked maintainers is a problem, how about we put our money where our mouth is?

I think @AndresFreundTec needs a fat bonus check for saving our asses.

And Lasse Collin needs a lot of support, and probably a nice vacation.

I pledge $100, for starters.

Now how can we make sure to send the funds to the correct people?

Or is there already any fundraiser that I missed?

#liblzma #xz #ssh #security #oss #floss

Is there concern for snaps or flatpaks? Checking my own stuff it looks like applications using bundled liblzma are running in the 5.2.* - 5.4.* versions, but if someone has a bleeding edge application running an affected version, what would the remediation be? Would uninstalling it be sufficient?

#snap #flatpak #linux #xz #liblzma

Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

https://www.openwall.com/lists/oss-security/2024/03/29/4

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH