this post was submitted on 29 Mar 2024
369 points (99.7% liked)
Arch Linux
7744 readers
1 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
According to this guy Debian is the problem https://lemmy.ml/comment/9780209
Debian is not really the problem, but rather the target, just read the original announcement at https://www.openwall.com/lists/oss-security/2024/03/29/4:
So if you were using Arch, you were unaffected by this vulnerability because
/usr/sbin/sshd
which doesn't happen in Arch because they don't patch OpenSSH to support systemd (which in turn pulls in xz).This doesn't mean that Arch saved you because it's super secure or anything, but this was a supply chain attack that hit Arch (and Debian Sid, where the backdoor was actually caught because ssh logins took so long…), but it didn't trigger because it wasn't targeted.
Meaning there's no immediate need to be concerned, but you should update ASAP even though the Arch package probably doesn't contain backdoored artifacts.
The announcement link leads to a Not Found
It just worked fine when I checked right now
Thanks for telling that means arch is not compromised as of right now.
Thanks for clarifying. I read through the original announcement but I couldn't fully understand it
Typical Arch user.
English is not my native language and I am still pretty new to Linux. But it doesn't change the fact that Arch was not compromised and Debian is/was