Greetings,
I do not normally use mailing lists such as this one to inform subscribers of security notices, but this issue is extreme enough where it may benefit the anonymity of Tor users if relay operators are aware of it sooner.
The near-universally used 'xz' compression library has been found to contain a backdoor in certain code branches. This backdoor has made it into some systems such as Debian Sid.
Details regarding this backdoor are available here. https://www.openwall.com/lists/oss-security/2024/03/29/4
It is suspected that if your OpenSSH server links to the xz library, which Debian appears to do so, then this backdoor is remotely exploitable. If your OpenSSH server does not link to this library, then your system still contains many processes that run xz actions as the root user, some input of which may be less than trusted.
For those needing a patch, I recommend you research your distribution's security advisory page for further information.
References: Debian Sid Advisory: https://security-tracker.debian.org/tracker/CVE-2024-3094
On Freitag, 29. März 2024 19:39:05 CEST pasture_clubbed242--- via tor-relays wrote:
The near-universally used 'xz' compression library has been found to contain a backdoor in certain code branches. This backdoor has made it into some systems such as Debian Sid.
Details regarding this backdoor are available here. https://www.openwall.com/lists/oss-security/2024/03/29/4
Pretty unlikely that anyone uses testing or sid for productive servers.
tor-relays@lists.torproject.org