PLEASE. I keep seeing it in memes. As I understand it the latest version of the xz package (present in rolling release distros like Arch and SUSE Tumbleweed) has “a backdoor”, but I have no earthly clue what can be done by malicious folks with access to that backdoor or if I should be afraid or how to check if my distro is compromised or how to prevent damage if it is or (…)

    • KevonLooney@lemm.eeEnglish
      5·
      2 years ago

      This doesn’t answer the question: what is the purpose behind adding the vulnerability? What specific things are vulnerable? What could it be used to do?

      • SzethFriendOfNimi@lemmy.worldEnglish
        4·
        2 years ago

        To allow somebody to change how the encryption between a server and client is handled so the communication can be intercepted. Either by putting a thumb on the scale for the cipher used or outright using a particular key that is known by an attacker.

        E.g. to make a man in the middle or even passive traffic capture attack possible so they can choose to intercept supposedly secure traffic when they want to

        I don’t know if the full extent of what it can be used for it known yet. Just that how they hook the calls for the traffic allows for some pretty nasty scenarios.

    • TheFinn@discuss.tchncs.deEnglish
      2·
      2 years ago

      I’ve been wondering if there’s some kind of notification code that let’s the bad actor know they’ve successfully infected someone. Otherwise what’s the plan, trawl the entire IP space for devices your key can access? Wouldn’t it need UPNP or some other method to reach most people’s systems?