Is OMV affected by the recently discovered XZ backdoor SSH exploit?
XZ Backdoor and OMV7
-
- OMV 7.x
- gelöst
- Asmodus
-
-
Is OMV affected by the recently discovered XZ backdoor SSH exploit?
No links or info while asking?
A quick search on the web shows this:XZ Backdoor Attack CVE-2024-3094: All You Need To Know (jfrog.com)
So, unless you are running unstable packages (which you shouldn't) there should be no issues.
If there were, it's Debian's responsability to upgrade the packages, NOT OMV. -
No links or info while asking?
A quick search on the web shows this:XZ Backdoor Attack CVE-2024-3094: All You Need To Know (jfrog.com)
So, unless you are running unstable packages (which you shouldn't) there should be no issues.
If there were, it's Debian's responsability to upgrade the packages, NOT OMV.No links it took you 2 secs to look up what it was. It's pretty big news from what i can tell as its a pretty serious security issue.
I didnt ask who's 'responsability' it was, i asked if it was affected.
A simple 'No it's fine, were good' or a 'yes it's an issue right now', wouldve been more helpful.
As it stands i'm still none the wiser.
-
No it's fine, were good
You got your answer.
-
Thank you
-
votdev
Hat das Label gelöst hinzugefügt. -
votdev
Hat das Label OMV 7.x hinzugefügt. -
Here the solution from the JFrog site:
„How to remediate CVE-2024-3094
Immediately downgrade your version of xz to an earlier version (5.4.6 is the latest unaffected version in most distributions).“
The installed version on OMV 7 is 5.4.1-0.2
root@xxxxxxx:~# apt search xz-utils
…
root@xxxxxxx:~# xz-utils/stable,now 5.4.1-0.2 amd64 [Installiert,automatisch]
All is fine.
-
A quick search on the web shows this:
XZ Backdoor Attack CVE-2024-3094: All You Need To Know (jfrog.com)
It seems that Alpine is affected and many docker containers are based on Alpine.
-
It seems that Alpine is affected and many docker containers are based on Alpine.
It only afects EDGE/testing versions.
I don't see docker containers running versions other than STABLE:
But it's easy to spot:
Bash inside the container and check which version is running, for eg:
docker exec -it swag bash
strings `which xz` | grep '5\.6\.[01]'
-
Or you can also verify which packages are on the containers by checking their github page and the file package_version.txt
docker-nextcloud/package_versions.txt at master · linuxserver/docker-nextcloud (github.com)
etc...
-
Even if you were using a bleeding edge version of alpine, it seems unlikely to be an issue unless you had ssh installed. Most docker containers don't have ssh installed. I'm sure there are other ways the xz hack could be used but ssh was the only real one I have seen so far.
-
I'm sure there are other ways the xz hack could be used but ssh was the only real one I have seen so far.
Yes, it's not fully understood what was in the code.
“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said. "He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise."
Taken from (link provided).
Backdoor found in widely used Linux utility targets encrypted SSH connections | Ars Technica
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!