Any word about whether the latest dietpi versions are effected by this latest exploit?
When I checked on a device running DietPi just after the xz issue was announced to the general public, the installed version was too old to be affected by the backdoor, both before and after updating software,
meaning “no”, to the best of my knowledge.
We don’t maintain these packages ourselves. DietPi is a set of scripts on top of Debian. Means you can check Debian global repository for version available.
1 Like
well if that’s the case, it’s a blessing… but I’ll it a few days, and see if there’s anything “on site” about it…there should be within a day or two either way
yeah ok I’ll do that…thanks for the idea
Debian stable is not affected as far as I know.
it appears that the debian stable release isn’t affected you wouldn’t happen to know if the latest dietpi versin was built using the stable version would
well running the test listed at
on my dietpi says it’s unaffected…in fact it’s it uses older library files, from well before this exploit was released
and the version I’m using 9.1.1
To avoid a misunderstanding. DietPi is not an own operating system that is built on some source. It’s just a set of scripts running on Debian and we use Debian global package repository. Debian -- Packages
We don’t maintain, build or manage any of these packages. Furthermore, DietPi version has no relation to any Debian package version. These are completely different thinks.
For 32bit RPi, we use Raspberry OS (source packages).
Also to get a better understanding what is now vulnerable and what not:
Only the release tar-balls are affected, the malicious package made it not to version control.
Also you, as a package maintainer, would need to build software, which depends on liblzma 5.6.0. or 5.6.1, with the malicous tar balls from github, to create a backdoor’d binary.
So just installing xz-utils from debian testing/sid would make you not vulnerable.
well watching the dietpi installer, it’s pretty easy to see what it is by watching what it’s installing from where,and I really like the optimized packages.
Wasn’t trying to start trouble or a panic…but felt it was important enough to ask about…so I started digging and reported what I found…and they might want to put something about it on the website…
Just to round this up, the Debian security tracker overview
1 Like