larryr
March 29, 2024, 5:28pm
1
If you’re using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of “xz” (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you’re downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we’ll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team.
7 Likes
KWizzz
March 29, 2024, 6:30pm
3
2 Likes
Pinned - thanks for the suggestion, and to @larryr for helping spread this info.
2 Likes
What konsole command do i need to find out the xz package I have installed on my system?
i found one zypper command that tells me what is on the repo - which the 5.6.1 revert to 5.4 package.
i found another which gives me reams of information about the xz package which I don’t need to ever know, but not the version number.
so, if i simply want to ask the system; “what version is my xz”, what am i typing into konsole?
feel like that would be useful information in the first post: “to find out if you might be affected, type this…”
rpm -q xz
Vulnerable: xz-5.6.0-1.1.x86_64
2 Likes
I believe from the article, you should also run rpm -qi liblzma5 and verify that library also shows the revertto change.
3 Likes
smashing, i got what i wanted to hear: 5.4.5-1.1.x86-64. (been a while since I updated, but at least there is no risk i have been compromised).
thank you.
1 Like
Re: openSUSE addresses supply chain attack against xz compression library - openSUSE News
“For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited.”
Is this one of those situations where suse’s security defaults will have protected the average joe desktop user - because everything tends to be locked down by the firewall by default? And unless you had cause to go to the firewall to enable access through for SSH (as users must do with kdeconnect), then even if you had upgraded there would be no impact…
Edit - in this case I think the answer is no. I checked two of my systems and both had External - SSH = Allowed, and I can’t imagine i would have tinkered with that.
2 Likes
I just dropped in here to suggest people to at least regenerate sshd host keys. consider that compromised.
“For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited.”
I’m going to venture a safe assumption that where this was exploited, it was used primarily on server environments and not at desktops(as is with virtually all attacks on linux).
1 Like
xz and liblzma5 on version 5.4.6-1.2 in fully updated OpenSuse Slowroll.history , these were also released by the same malicious maintainer/developer Jia Tan .
They have been the lead dev/upstream maintainer since 2022 for the xz project. So anything since then is suspect. The exploit hasn’t been fully reverse engineered, the reporter found that it targets SSH, but xz is everywhere including systemd xz is targeted by the exploit exploit(s) as we don’t know if there were others in previous releases.
1 Like
What security do you think that gives you? Host keys are for the host to identify itself to the person/entity logging in, they provide no security benefit to the host itself.
Consider the private keys compromised at the very least. something nasty was loaded into the sshd memory space…
Wow, the entire OS depends on this
pavin@suse-pc:~> sudo zypper rm --dry-run xz liblzma5 liblzma5-x86-64-v3
Reading installed packages...
Resolving package dependencies...
The following 1213 packages are going to be REMOVED:
aaa_base aaa_base-extras accountsservice accountsservice-lang acpica alsa alsa-utils apparmor-utils appstream-glib argyllcms at-spi2-core augeas augeas-bash-completion
augeas-lenses autofs autoyast2-installation avahi baobab bind-utils bluez bluez-cups bluez-obexd bolt borgbackup borgbackup-bash-completion borgmatic brltty
brltty-driver-at-spi2 brltty-driver-brlapi brltty-driver-speech-dispatcher brltty-driver-xwindow canberra-gtk-play cheese cifs-utils code colord conmon coreutils-systemd
crash-kmp-default-8.0.4_k6.7.4_1-2.11 crash-kmp-default-8.0.4_k6.7.5_1-2.12 crash-kmp-default-8.0.4_k6.7.9_1-3.1 crash-kmp-default-8.0.4_k6.8.1_1-3.2 cron cronie crun
crypto-policies-scripts cups cups-client cups-filters cups-pk-helper dbus-1 dbus-1-daemon dbus-1-tools dbus-1-x11 dconf dconf-editor debugedit debuginfod-client deltarpm
desktop-file-utils dLeyna dmraid dnsmasq docbook_4 dracut dracut-transactional-update drawing d-spy dwarves elfutils eog evince evince-plugin-pdfdocument evolution
evolution-data-server evolution-ews ffmpeg-6 file file-roller filezilla filezilla-lang fio firewall-config firewalld firewalld-bash-completion firewalld-lang flatpak
flatpak-remote-flathub font-manager font-manager-common font-viewer fuse fuse3 fwupd fwupd-bash-completion gcab gcr3-prompter gcr3-ssh-askpass gcr-ssh-agent gcr-ssh-askpass
gcr-viewer gdk-pixbuf-loader-jxl gdk-pixbuf-loader-libheif gdk-pixbuf-loader-rsvg gdk-pixbuf-query-loaders gdk-pixbuf-thumbnailer gdm gdm-branding-openSUSE gegl-0_4
geoclue2 gettext-runtime gettext-tools ghostscript ghostscript-x11 gimp gimp-help gimp-plugin-aa gimp-plugin-jxl gio-branding-openSUSE girepository-1_0 git-core
github-desktop gjs glib2-tools glib-networking gnome-backgrounds gnome-bluetooth gnome-browser-connector gnome-calculator gnome-characters gnome-chess gnome-clocks
gnome-color-manager gnome-console gnome-contacts gnome-control-center gnome-control-center-color gnome-control-center-goa gnome-disk-utility gnome-extensions gnome-keyring
gnome-keyring-pam gnome-logs gnome-mahjongg gnome-maps gnome-mines gnome-music gnome-online-accounts gnome-packagekit gnome-photos gnome-remote-desktop gnome-session
gnome-session-core gnome-session-default-session gnome-session-wayland gnome-settings-daemon gnome-shell gnome-shell-calendar gnome-shell-classic
gnome-shell-extensions-common gnome-shell-search-provider-contacts gnome-shell-search-provider-gnome-calculator gnome-shell-search-provider-gnome-characters
gnome-shell-search-provider-gnome-clocks gnome-shell-search-provider-gnome-photos gnome-shell-search-provider-gnome-terminal gnome-shell-search-provider-gnome-weather
gnome-shell-search-provider-nautilus gnome-sudoku gnome-system-monitor gnome-terminal gnome-text-editor gnome-themes-accessibility-gtk2 gnome-tweaks gnome-user-docs
gnome-user-share gnome-weather gnutls google-chrome-stable google-poppins-fonts gpm grilo-plugins grilo-plugin-tracker groff-full grub2 grub2-branding-openSUSE
grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi gsettings-backend-dconf gsf-office-thumbnailer gstreamer gstreamer-libnice
gstreamer-plugin-cluttergst3 gstreamer-plugin-openh264 gstreamer-plugin-pipewire gstreamer-plugins-bad gstreamer-plugins-bad-codecs gstreamer-plugins-base
gstreamer-plugins-good gstreamer-plugins-good-extra gstreamer-plugins-good-gtk gstreamer-plugins-libav gstreamer-plugins-ugly gstreamer-plugins-ugly-codecs gstreamer-utils
gthumb gtk2-branding-openSUSE gtk2-engine-hcengine gtk2-immodule-amharic gtk2-immodule-inuktitut gtk2-immodule-thai gtk2-immodule-tigrigna gtk2-immodule-vietnamese
gtk2-metatheme-adwaita gtk2-theming-engine-adwaita gtk2-tools gtk3-branding-openSUSE gtk3-immodule-amharic gtk3-immodule-inuktitut gtk3-immodule-thai gtk3-immodule-tigrigna
gtk3-immodule-vietnamese gtk3-tools gtk4-branding-openSUSE gtk4-tools guestfs-tools gvfs gvfs-backend-afc gvfs-backend-goa gvfs-backends gvfs-backend-samba gvfs-fuse
gweather4-data gxditview htop iagno icewm icewm-default icewm-lang iio-sensor-proxy ImageMagick imlib2-loaders info info-lang inxi irqbalance irqbalance-ui jack-dbus kdump
keepassxc keepassxc-lang kernel-default-6.6.11-1.1 kernel-default-6.7.4-1.1 kernel-default-6.7.9-1.1 kernel-default-6.8.1-1.1 kernel-default-devel-6.6.11-1.1
kernel-default-devel-6.7.6-1.1 kernel-default-devel-6.7.7-1.1 kernel-default-devel-6.7.9-1.1 kernel-default-devel-6.8.1-1.1 kexec-tools kmod kmod-bash-completion kvm_stat
ldmtool less lftp libabw-0_1-1 libaccountsservice0 libadwaita-1-0 libao4 libao-plugins4 libappindicator3-1 libappstream5 libappstream-glib8 libarchive13 libasm1
libatk-bridge-2_0-0 libatspi0 libaugeas0 libavahi-client3 libavahi-gobject0 libavahi-ui-gtk3-0 libavcodec58_134 libavcodec60 libavdevice60 libavfilter9 libavformat58_76
libavformat60 libbd_btrfs3 libbd_crypto3 libbd_fs3 libbd_loop3 libbd_lvm3 libbd_mdraid3 libbd_nvme3 libbd_part3 libbd_swap3 libbd_utils3 libblockdev libblockdev3 libbluray2
libboost_iostreams1_84_0 libboost_iostreams1_84_0-x86-64-v3 libbotan-2-19 libbrasero-burn3-1 libbrasero-media3-1 libbrasero-utils3-1 libbrlapi0_8 libcamel-1_2-64
libcamera0_2 libcamera-base0_2 libcanberra0 libcanberra-gtk0 libcanberra-gtk2-module libcanberra-gtk3-0 libcanberra-gtk3-module libcanberra-gtk-module-common
libchamplain-0_12-0 libcheese8 libcheese-gtk25 libchromaprint1 libcloudproviders0 libclutter-1_0-0 libclutter-gst-3_0-0 libclutter-gtk-1_0-0 libcogl20 libcogl-pango20
libcolord2 libcolord-gtk4-1 libcolorhug2 libcreaterepo_c1 libcryptui0 libcups2 libcupsimage2 libdazzle-1_0-0 libdbus-1-3 libdbus-glib-1-2 libdbusmenu-glib4
libdbusmenu-gtk3-4 libdconf1 libdecor libdecor-0-0 libdmapsharing-4_0-3 libdspy-1-1 libdw1 libdwarves1 libebackend-1_2-11 libe-book-0_1-1 libebook-1_2-21
libebook-contacts-1_2-4 libecal-2_0-2 libedata-book-1_2-27 libedata-cal-2_0-2 libedataserver-1_2-27 libedataserverui-1_2-4 libefa1 libei1 libespeak-ng1 libetonyek-0_1-1
libevdocument3-4 libevview3-3 libexslt0 libffado2 libflatpak0 libfltk1_3 libfolks26 libfolks-eds26 libfreerdp2-2 libfwupd2 libgcab-1_0-0 libgck-1-0 libgck-2-2
libgck-modules-gnome-keyring libgcr-3-1 libgcr-4-4 libgd3 libgdata22 libgdk_pixbuf-2_0-0 libgdm1 libgee-0_8-2 libgegl-0_4-0 libgeocode-glib-2-0 libgexiv2-2 libgimp-2_0-0
libgimpui-2_0-0 libgio-2_0-0 libgiomm-2_4-1 libgiomm-2_68-1 libgirepository-1_0-1 libgjs0 libGLEW2_2 libGLU1 libglvnd libgnome-autoar-0-0 libgnome-autoar-gtk-0-0
libgnome-bluetooth-3_0-13 libgnome-bluetooth-ui-3_0-13 libgnome-desktop-3_0-common libgnome-desktop-3-20 libgnome-desktop-4-2 libgnome-games-support-1-3 libgnome-keyring0
libgnome-menu-3-0 libgnomesu libgnomesu0 libgnustep-base1_29 libgnutls-dane0 libgoa-1_0-0 libgoa-backend-1_0-1 libgom-1_0-0 libgphoto2-6 libgrilo-0_3-0 libgrlnet-0_3-0
libgrlpls-0_3-0 libgsf-1-114 libgsound0 libgspell-1-2 libgssdp-1_6-0 libgstadaptivedemux-1_0-0 libgstallocators-1_0-0 libgstapp-1_0-0 libgstaudio-1_0-0 libgstbadaudio-1_0-0
libgstbasecamerabinsrc-1_0-0 libgstcodecparsers-1_0-0 libgstcodecs-1_0-0 libgstcuda-1_0-0 libgstfft-1_0-0 libgstgl-1_0-0 libgstisoff-1_0-0 libgstmpegts-1_0-0
libgstpbutils-1_0-0 libgstphotography-1_0-0 libgstplay-1_0-0 libgstplayer-1_0-0 libgstreamer-1_0-0 libgstriff-1_0-0 libgstrtp-1_0-0 libgstrtsp-1_0-0 libgstsctp-1_0-0
libgstsdp-1_0-0 libgsttag-1_0-0 libgsttranscoder-1_0-0 libgsturidownloader-1_0-0 libgstva-1_0-0 libgstvideo-1_0-0 libgstvulkan-1_0-0 libgstwayland-1_0-0 libgstwebrtc-1_0-0
libgstwebrtcnice-1_0-0 libgtk-2_0-0 libgtk-3-0 libgtk-4-1 libgtkmm-3_0-1 libgtkmm-4_0-0 libgtksourceview-3_0-1 libgtksourceview-4-0 libgtksourceview-5-0 libgtk-vnc-2_0-0
libguestfs libguestfs0 libguestfs-appliance libguestfs-xfs libgupnp-1_6-0 libgupnp-av-1_0-3 libgupnp-dlna-2_0-4 libgupnp-dlna-backend-gstreamer libgupnp-igd-1_6-0 libgusb2
libgvnc-1_0-0 libgweather-4-0 libgxps2 libhandy-1-0 libheif-ffmpeg libhwloc15 libibus-1_0-5 libibverbs libibverbs1 libiscsi9 libiscsi9-x86-64-v3 libjavascriptcoregtk-4_0-18
libjavascriptcoregtk-4_1-0 libjcat1 libjson-glib-1_0-0 libkmod2 liblangtag1 libLLVM17 liblrdf2 liblvm2cmd2_03 liblzma5 liblzma5-x86-64-v3 libmagic1
libMagickCore-7_Q16HDRI10 libMagickWand-7_Q16HDRI10 libmalcontent-0-0 libmalcontent-ui-1-1 libmana1 libmanette-0_2-0 libmbim libmbim-glib4 libmediaart-2_0-0
libmission-control-plugins0 libmlx4-1 libmlx5-1 libmm-glib0 libmodulemd2 libmpath0 libmtp9 libmtp-udev libnautilus-extension4 libnbd0 libndctl6 libneon27 libnice10 libnm0
libnma0 libnma-gtk4-0 libnotify4 libnvme-mi1 libodfgen-0_1-1 libopenal1 libopenconnect5 libopeniscsiusr0 liborcus-0_18-0 libosinfo libosinfo-1_0-0 libostree libostree-1-1
libpackagekit-glib2-18 libpango-1_0-0 libpangomm-1_4-1 libpangomm-2_48-1 libpcap1 libpcaudio0 libpcp3 libpcp_import1 libpeas-1_0-0 libpeas-gtk-1_0-0 libpeas-loader-python3
libphodav-3_0-0 libpipewire-0_3-0 libplacebo264 libplacebo338 libpmem1 libpolkit-agent-1-0 libpolkit-gobject-1-0 libpoppler133 libpoppler-cpp0 libpoppler-glib8 libportal1
libportal-gtk3-1 libportal-gtk4-1 libportaudio2 libprocps8 libprojectM3 libproxy1 libpskc0 libpulse0 libpulse-mainloop-glib0 libpxbackend-1_0 libpython3_11-1_0
libpython3_11-1_0-x86-64-v3 libqmi-glib5 libqmi-tools libqrtr-glib0 libQt5Concurrent5 libQt5Core5 libQt5DBus5 libQt5Gui5 libQt5Network5 libQt5Positioning5
libQt5PrintSupport5 libqt5-qtbase-platformtheme-gtk3 libqt5-qtdeclarative-tools libqt5-qtgraphicaleffects libqt5-qtquickcontrols libqt5-qtquickcontrols2
libqt5-qtstyleplugins-platformtheme-gtk2 libqt5-qtwebengine libqt5-qtxmlpatterns-imports libQt5QuickControls2-5 libQt5QuickTemplates2-5 libQt5Sql5 libQt5Sql5-sqlite
libQt5Svg5 libQt5Test5 libQt5WebChannel5 libQt5WebChannel5-imports libQt5Widgets5 libQt5X11Extras5 libQt5XmlPatterns5 libQtQuick5 librados2 libraptor2-0 librasqal3 librbd1
librdf0 librdmacm1 libreoffice libreoffice-base libreoffice-calc libreoffice-draw libreoffice-filters-optional libreoffice-gnome libreoffice-gtk3 libreoffice-icon-themes
libreoffice-impress libreofficekit libreoffice-l10n-en libreoffice-mailmerge libreoffice-math libreoffice-pyuno libreoffice-share-linker libreoffice-writer librest-1_0-0
librpmbuild10 librsvg-2-2 libsane1 libsecret-1-0 libshumate-1_0-1 libsixel1 libslopy7_6 libsnapper7 libsnmp40 libsolv-tools libsoup-2_4-1 libsoup-3_0-0 libspandsp3
libspice-client-glib-2_0-8 libspice-client-glib-helper libspice-client-gtk-3_0-5 libspice-server1 libstoken1 libstorage-ng1 libstorage-ng-ruby libsystemd0
libtelepathy-glib0 libtelepathy-logger3 libtiff6 libtotem-plparser18 libtotem-plparser-mini18 libtracker-sparql-3_0-0 libtss2-tcti-tabrmd0 libtukit4 libudisks2-0
libudisks2-0_btrfs libunbound8 libunwind8 libupower-glib3 libva-glx2 libvapoursynth-script0 libvdpau_r600 libvdpau_radeonsi libvirt-client libvirt-daemon-common
libvirt-daemon-config-network libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter
libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-core libvirt-daemon-driver-storage-disk
libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath
libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-qemu
libvirt-glib-1_0-0 libvirt-libs libvisio-0_1-1 libvlc5 libvlccore9 libvte-2_91-0 libvulkan_radeon libwebkit2gtk-4_0-37 libwebkit2gtk-4_1-0 libwinpr2-2 libwireplumber-0_4-0
libwnck-3-0 libWPEBackend-fdo-1_0-1 libwx_gtk2u_aui-suse10_0_0 libwx_gtk2u_core-suse10_0_0 libwx_gtk2u_html-suse10_0_0 libwx_gtk2u_xrc-suse10_0_0 libxkbregistry0 libxml2-2
libxml2-tools libxml++-3_0-1 libxmlb2 libxmlb2-x86-64-v3 libxmlsec1-1 libxmlsec1-nss1 libxslt1 libxslt-tools libyelp0 libyui-ncurses-pkg16 libyui-qt16 libyui-qt-graph16
libyui-qt-pkg16 libzbar0 libzio1 libzmq5 libzypp libzypp-plugin-appdata lightsoff logrotate lsb-release lvm2 maim makedumpfile malcontent malcontent-control man mcelog Mesa
Mesa-demo-x Mesa-dri Mesa-gallium Mesa-libEGL1 Mesa-libGL1 Mesa-libva mjpegtools ModemManager MozillaFirefox MozillaThunderbird MozillaThunderbird-openpgp-librnp
mpg123-openal mpv mpv-bash-completion mpv-mpris multipath-tools mutter nano nautilus nautilus-extension-seahorse nautilus-extension-terminal nautilus-extension-tilix
nautilus-sendto nautilus-share nbdkit-nbd-plugin nbdkit-python-plugin netpbm net-snmp NetworkManager NetworkManager-applet-openconnect NetworkManager-applet-openvpn
NetworkManager-applet-pptp NetworkManager-applet-vpnc NetworkManager-bluetooth NetworkManager-branding-openSUSE NetworkManager-dns-dnsmasq NetworkManager-openconnect
NetworkManager-openvpn NetworkManager-pptp NetworkManager-tui NetworkManager-vpnc NetworkManager-wwan nfs-client nfs-kernel-server notification-daemon nss-mdns nvme-cli
nvme-cli-bash-completion openconnect openconnect-bash-completion openconnect-lang open-iscsi open-isns openssh openssh-askpass-gnome openssh-server opensuse-welcome openvpn
opi orca os-prober PackageKit PackageKit-backend-zypp PackageKit-branding-openSUSE PackageKit-gstreamer-plugin PackageKit-gtk3-module parallel-printer-support
patterns-base-base patterns-base-basesystem patterns-base-documentation patterns-base-enhanced_base patterns-base-sw_management patterns-base-x11 patterns-base-x11_enhanced
patterns-desktop-imaging patterns-desktop-mobile patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_basis_opt
patterns-gnome-gnome_imaging patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_x11 patterns-gnome-gnome_yast
patterns-gnome-sw_management_gnome patterns-server-kvm_server patterns-server-kvm_tools patterns-yast-yast2_basis patterns-yast-yast2_desktop pciutils pcsc-ccid pcsc-lite
perl-Net-DBus perl-SNMP pinentry-gnome3 pipewire pipewire-alsa pipewire-aptx pipewire-jack pipewire-libjack-0_3 pipewire-modules-0_3 pipewire-pulseaudio
pipewire-spa-plugins-0_2 pipewire-tools pkexec plymouth plymouth-branding-openSUSE plymouth-dracut plymouth-lang plymouth-plugin-label plymouth-plugin-two-step
plymouth-scripts plymouth-theme-bgrt plymouth-theme-spinner podman polari polkit polkit-gnome poppler-tools ppp procps pulseaudio-utils purge-kernels-service python311
python311-apipkg python311-atspi python311-attrs python311-base python311-base-x86-64-v3 python311-Brotli python311-certifi python311-cffi python311-charset-normalizer
python311-click python311-cmdln python311-colorama python311-configobj python311-cryptography python311-cssselect python311-curses python311-dbm python311-dbus-python
python311-decorator python311-extras python311-fido2 python311-gobject python311-gobject-cairo python311-gobject-Gdk python311-idna python311-importlib-metadata
python311-iniconfig python311-ipaddr python311-jaraco.classes python311-jeepney python311-jsonschema python311-jsonschema-specifications python311-keyring
python311-libvirt-python python311-libxml2 python311-linux-procfs python311-lxml python311-more-itertools python311-msgpack python311-nautilus python311-nftables
python311-notify2 python311-outcome python311-packaging python311-pip python311-psutil python311-py python311-pycairo python311-pycparser python311-pycups python311-pycurl
python311-pyfuse3 python311-pyOpenSSL python311-pyrsistent python311-pyscard python311-pysmbc python311-PySocks python311-pyudev python311-referencing python311-requests
python311-rpds-py python311-rpm python311-ruamel.yaml python311-ruamel.yaml.clib python311-SecretStorage python311-setuptools python311-six python311-sniffio
python311-sortedcontainers python311-termcolor python311-trio python311-urllib3 python311-x86-64-v3 python311-yt-dlp python311-zipp python3-apparmor python3-brlapi
python3-createrepo_c python3-cupshelpers python3-firewall python3-louis python3-speechd python3-vapoursynth python-nautilus-common-files python-rpm-generators
python-rpm-packaging qemu qemu-audio-spice qemu-block-rbd qemu-chardev-spice qemu-hw-display-qxl qemu-ovmf-x86_64 qemu-pr-helper qemu-tools qemu-ui-gtk qemu-ui-spice-app
qemu-ui-spice-core qemu-x86 qml-autoreqprov qtdeclarative-imports-provides-qt5 quadrapassel rdma-core rdma-ndd rebootmgr rpcbind rpm rpm-build rpm-config-SUSE rtkit ruby
ruby3.3 ruby3.3-rubygem-abstract_method ruby3.3-rubygem-cfa ruby3.3-rubygem-cfa_grub2 ruby3.3-rubygem-cheetah ruby3.3-rubygem-fast_gettext ruby3.3-rubygem-gem2rpm
ruby3.3-rubygem-nokogiri ruby3.3-rubygem-ruby-augeas ruby3.3-rubygem-ruby-dbus ruby3.3-rubygem-simpleidn ruby3.3-rubygem-unf ruby3.3-rubygem-unf_ext ruby-common ruby-solv
samba-client samba-client-libs sane-backends sane-backends-autoconfig seahorse seahorse-daemon sensors sgml-skel shared-mime-info simple-scan smartmontools snapper
snapper-zypp-plugin speech-dispatcher speech-dispatcher-module-espeak squashfs strace sudo-plugin-python supermin suse-module-tools suse-module-tools-scriptlets sushi
swell-foop swtpm sysstat system-config-printer system-config-printer-applet system-config-printer-common system-config-printer-dbus-service systemd systemd-container
systemd-coredump tecla-keyboard-layout-viewer telepathy-idle telepathy-logger telepathy-mission-control tigervnc tlp tlp-rdw totem totem-plugins totem-video-thumbnailer
tpm2.0-abrmd tracker tracker-miner-files tracker-miners transactional-update transmission-common transmission-gtk tukit tuned typelib-1_0-AccountsService-1_0
typelib-1_0-Adw-1 typelib-1_0-AppIndicator3-0_1 typelib-1_0-Atk-1_0 typelib-1_0-Atspi-2_0 typelib-1_0-EvinceDocument-3_0 typelib-1_0-EvinceView-3_0 typelib-1_0-Fwupd-2_0
typelib-1_0-Gck-2 typelib-1_0-Gcr-4 typelib-1_0-GdkPixbuf-2_0 typelib-1_0-Gdm-1_0 typelib-1_0-Geoclue-2_0 typelib-1_0-GeocodeGlib-2_0 typelib-1_0-GjsPrivate-1_0
typelib-1_0-GMenu-3_0 typelib-1_0-GnomeBG-4_0 typelib-1_0-GnomeBluetooth-3_0 typelib-1_0-GnomeDesktop-3_0 typelib-1_0-GnomeDesktop-4_0 typelib-1_0-Goa-1_0
typelib-1_0-Graphene-1_0 typelib-1_0-Grl-0_3 typelib-1_0-Gspell-1 typelib-1_0-Gst-1_0 typelib-1_0-GstAudio-1_0 typelib-1_0-GstPbutils-1_0 typelib-1_0-GstTag-1_0
typelib-1_0-GstVideo-1_0 typelib-1_0-Gtk-3_0 typelib-1_0-Gtk-4_0 typelib-1_0-GtkSource-3_0 typelib-1_0-GtkSource-4 typelib-1_0-GtkVnc-2_0 typelib-1_0-GVnc-1_0
typelib-1_0-GWeather-4_0 typelib-1_0-Handy-1_0 typelib-1_0-HarfBuzz-0_0 typelib-1_0-IBus-1_0 typelib-1_0-JavaScriptCore-4_1 typelib-1_0-Json-1_0 typelib-1_0-Libosinfo-1_0
typelib-1_0-LibvirtGLib-1_0 typelib-1_0-Malcontent-0 typelib-1_0-MediaArt-2_0 typelib-1_0-Nautilus-4_0 typelib-1_0-NM-1_0 typelib-1_0-NMA4-1_0 typelib-1_0-Notify-0_7
typelib-1_0-PackageKitGlib-1_0 typelib-1_0-Pango-1_0 typelib-1_0-Peas-1_0 typelib-1_0-Polkit-1_0 typelib-1_0-Rest-1_0 typelib-1_0-Rsvg-2_0 typelib-1_0-Secret-1
typelib-1_0-Shumate-1_0 typelib-1_0-Soup-3_0 typelib-1_0-SpiceClientGlib-2_0 typelib-1_0-SpiceClientGtk-3_0 typelib-1_0-TelepathyGlib-0_12 typelib-1_0-TelepathyLogger-0_2
typelib-1_0-TotemPlParser-1_0 typelib-1_0-Tracker-3_0 typelib-1_0-UpowerGlib-1_0 typelib-1_0-Vte-2_91 typelib-1_0-WebKit2-4_1 typelib-1_0-Wnck-3_0 typelib-1_0-Xdp-1_0 udev
udev-configure-printer udisks2 udisks2-bash-completion unar unbound-anchor update-desktop-files upower usb_modeswitch usb_modeswitch-data usbmuxd usbutils util-linux
util-linux-systemd vinagre virt-install virt-manager virt-manager-common virt-v2v virt-v2v-bash-completion virt-viewer virt-what vlc vlc-codec-gstreamer vlc-codecs vlc-lang
vlc-noX vlc-qt vlc-vdpau vorbis-tools w3m-inline-image webkit2gtk-4_0-injected-bundles webkit2gtk-4_1-injected-bundles webp-pixbuf-loader wget wireplumber wireplumber-audio
wpa_supplicant xbrlapi xdg-dbus-proxy xdg-desktop-portal xdg-desktop-portal-gnome xdg-desktop-portal-gtk xdg-user-dirs-gtk xdg-utils xdm xen-libs xf86-input-evdev
xf86-input-joystick xf86-input-libinput xf86-input-vmmouse xf86-input-wacom xf86-video-fbdev xf86-video-mach64 xf86-video-r128 xf86-video-vesa xinetd xmlstarlet
xorg-x11-driver-video xorg-x11-essentials xorg-x11-server xorg-x11-server-extra xorg-x11-server-Xvfb xorg-x11-Xvnc xorg-x11-Xvnc-module xorriso xscreensaver
xscreensaver-data xscreensaver-lang xwayland xz yast2 yast2-add-on yast2-apparmor yast2-bootloader yast2-control-center yast2-control-center-qt yast2-country
yast2-country-data yast2-firewall yast2-hardware-detection yast2-installation yast2-journal yast2-kdump yast2-ldap yast2-metapackage-handler yast2-network yast2-ntp-client
yast2-online-update yast2-online-update-frontend yast2-packager yast2-pam yast2-pkg-bindings yast2-printer yast2-proxy yast2-ruby-bindings yast2-scanner yast2-security
yast2-services-manager yast2-slp yast2-snapper yast2-storage-ng yast2-sysconfig yast2-theme yast2-transfer yast2-update yast2-users yast2-vm yast2-x11 yast2-xml yelp yt-dlp
yubikey-manager zenity zeromq-tools zypper zypper-needs-restarting
The following 23 patterns are going to be REMOVED:
base basesystem documentation enhanced_base gnome gnome_basic gnome_basis gnome_basis_opt gnome_imaging gnome_office gnome_utilities gnome_x11 gnome_yast imaging kvm_server
kvm_tools laptop sw_management sw_management_gnome x11 x11_enhanced yast2_basis yast2_desktop
1213 packages to remove.
After the operation, 5.3 GiB will be freed.
Continue? [y/n/v/...? shows all options] (y): n
The backdoor only activates if program running is explicitly /usr/bin/sshd
Private keys never leave your host. Simply logging into a compromised host will not expose it.
Unless you also keep your private key on the host you think is compromised, rotating it buys you nothing. And if you think you were compromised, rotating keys won’t solve anything for you.
That’s what the reporter thinks and has been able to confirm.
Observed requirements for the exploit:
He says:
It’s possible that argv[0] other /usr/sbin/sshd also would have effect - there
Basically xz / lzma is everywhere including systemd libsystemd including sshd and possibly many others!
Is everywhere… including selinux if you missed that one… you can leave libsystemd behind if you wish… it will still end in sshd memory space…
1 Like
, would have to wait and see how far the extent of this compromise is, especially what other components that use 
at least according to zypper, so removing not an option 
:
so it can target whatever links to