git.tukaani.org runs sshd. If that sshd was upgraded with the xz backdoor, we ca... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dolmen on March 30, 2024 \| parent \| context \| favorite \| on: XZ backdoor: "It's RCE, not auth bypass, and gated... git.tukaani.org runs sshd. If that sshd was upgraded with the xz backdoor, we cannot exclude that the host was compromised as it could be have been a obvious target for the backdoor author.

bostik on March 31, 2024 [–]

Rather unlikely. The bad actor never had access to git.tukaani.org, and the sshd version running on that host is:

    SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u3

That is, a stable Debian release. Definitely not one with liblzma5:5.6.x

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact