XZ Utils backdoor vulnerability, identified by CVE-2024-3094

Hi,
According to many website like thoose :

there is a major security issue (backdoor in xz compression library which could allow attackers to access affected systems using SSH)!

In you website (How to install DietPi - DietPi.com Docs) you mention : “It is xz-compressed so you will need to install either 7zip for Windows or The Unarchiver (Macintosh). Both are free of charge and have been tested to decompress the image correctly. Linux users will need to download and install xz-utils.”

I did NOT installed xz-utils but it might be included with the Distro or any others optional apps that we can Install within DietPi-Software choices.

1- Should I be concerned with DietPi March 2024 (version 9.2)?
2- Do you plan to replace xz-compressed image with another format (.zip or anything else)?

Regards,
Stephane

As stated more than once, dietpi versions have no relationship to any Debian package version. The version of a Debian package is completely independent. Version of DietPi is ment for our own bash scripts. Nothing more.

Nothing like this is planned. As well, as already staded on another similar post, Debian stable package doesn’t seems to be impacted

Just check the already existing topic Recent xz exploit?

2 Likes

Just to round this up, the Debian security tracker overview

https://security-tracker.debian.org/tracker/CVE-2024-3094

1 Like

The systems which could have had the affected liblzma version are if you downloaded one of our Trixie images (not on our download page), did a manual upgrade from Debian Bookworm to Debian Trixie or Sid, or use a RISC-V SBC, and then did an apt upgrade within a specific time frame. Debian however provided a patch via APT quickly after this became public, so any apt upgrade afterwards would fix it.

The attack however targeted x86_64 systems only, hence ARM and RISC-V systems would not have been attacked by this particular code injected by the liblzma build, from what we know. Also, since the OpenSSH server was target of the attack, the default Dropbear SSH server on DietPi was not affected either.

In any case, a regular apt upgrade is always advised to have such kind of vulnerabilities fixed ASAP, on all Debian and DietPi versions.

2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.