- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.
For those on Android running Termux, it is also affected. Just checked my version of xz-utils and it was 5.6.1. Running “pkg upgrade” will roll back to version 5.4.5 (tagged as “5.6.1+really5.4.5” for both liblzma and xz-utils packages).
Makes you wonder why Termux ships the latest stuff. It might be smart to allow more time for critical problems to get caught.
Probably for the exact same reason this backdoor was introduced. Users complain about slow feature rollouts so (unpaid) devs (maintaining software in their spare time out of the kindness of their hearts) cut corners. In some situations that looks like bringing on a second maintainer without thorough vetting, in others it looks like importing upstream packages without thorough vetting.
Don’t blame the Termux devs here, blame the community that keeps pushing them to move faster.
So if I am seeing this I am good?
Yeah, that’s what mine “upgraded” to. All that update does is rollback to 5.4.5.