Xz / liblzma compromised upstream, quick update?

Report sounds serious although I am not running sshd on my Endeavour box. Currently up-to-date install has vulnerable version 5.6.1 of xz installed.

$ pacman -Q xz
xz 5.6.1-2

Hope a clean update gets pushed soon.

[Edit: so actually, the dash-2 update on my box was the already updated and fixed Arch version. I hope the upstream issue gets solved, so for clarity sake there can be a proper version number bump.]


Yeah…hopefully it will be out soon.


Or is it already…?

1 Like

Thanks for the warning :+1: :1st_place_medal:- I was just a about to report this here as well.

Look like its fixed

I’ve got 5.6.1-2 as well. :+1:

1 Like

“The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.”

does that mean we are relatively safe? is there a way to check if you’re affected or something?

The original post I linked contains a script to check for the vulnerable version. I checked the script before running it and when I did, it exited with no output.

So, maybe… yeah?


1 Like

I updated the containers, but the guide also says this:

Afterwards make sure to rebuild any container images based on the affected versions and also inspect any running containers!

Anyone know how to do it?

Do you have podman / docker Arch Linux containers?

It’s written in there in details.

I actually installed Docker right now and gave sudo docker image pull archlinux/archlinux for this purpose

It was optional for those who use it…

Well… I guess it’s no big deal if I did, right?

1 Like

Sure, if you don’t need it just remove it all

1 Like