• 0 Posts
  • 12 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle

  • ilmagico@lemmy.worldtoSelfhosted@lemmy.worldI tried to selfhost Nextcloud at work
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    edit-2
    1 month ago

    Never upgrade to the latest and greatest of … anything really, especially in production. Let others test it first, or as suggested already, have a staging environment where you test the upgrade first. I guess you can still downgrade nextcloud though, especially if you have a backup.

    Are you using the AIO image? I don’t know how well that works, but yeah, I absolutely hate automatic updates like that. I tried it once and I decided to use the plain “official but not supported” docker image instead, where I manage things myself. Never had an issue, and I can control which version I’m running, I can backup to wherever I want, using whichever system I want, etc.





  • My point is, since its meaning depends on the context, I don’t see the issue for it to mean, in the context of containers, “outside of a container”. Just like in the case of VMs, or OS vs No OS, it means there’s one fewer layer between the app and the hardware, whether that’s a VM, Container runtime, or the OS.

    I’m pretty sure everybody, including you, understood its meaning in this context, it didn’t really cause any misunderstanding.






  • TL;DR: Simply downgrade to a version before 5.6.0, or follow the official recommendations for your distro. For Arch, for example, simply upgrade your system.

    Explanation (from my understanding ): a malicious developer snuck a backdoor into xz, starting with version 5.6.0,and thankfully it was caught before it could do much damage. This seems to only affect Fedora and Debian based distros, or otherwise distros where ssh is patched to link to systemd, which in turn links to xz. Arch doesn’t seem to be affected, but they took some preventative action. Again, follow the announcements from your distro, or just downgrade xz.

    It is not yet clear what a malicious actor can do with that backdoor, but it seems, in affected systems, it enables remote code execution (if you don’t know what that means, just know it’s really bad), but last I checked security researchers were still analyzing the code. Things move fast, so maybe by now it is known.