Recently, after the disclosure of security vulnerabilities in the open source software liblzma/xz versions 5.6.0 and 5.6.1, deepin has completed a check of all its products and confirmed that all versions of the deepin operating system are not affected by the vulnerabilities, so please feel free to use them.

  • Vulnerability Description: A backdoor program has been discovered in the upstream code of xz versions 5.6.0 and 5.6.1, which modifies the compilation result by adding test binary data, and then extracting the contents of said data in the compilation script. Initial research has shown that the generated code hooks into OpenSSH's RSA encryption-related functions, allowing attackers to bypass the RSA signature verification process in a specific way, and other possible implications are still being investigated. As a popular compression software, liblzma/xz is widely used by Linux distributions, so this vulnerability has a wide impact.
  • Vulnerability Hazard Level: High.
  • Scope of vulnerability: 5.6.0<=xz-utils<=5.6.1.

 

deepin Operating System Impact Analysis

  • The version of xz-utils on deepin V23 is 5.4.5, which is outside the scope of the vulnerability and is not affected by the vulnerability.
  • The version of xz-utils on deepin V20.9 is 5.2.4, which is outside the scope of the vulnerability and is not affected by this vulnerability.
  • All other versions of the deepin operating system have been verified to be free of this vulnerability, so please feel free to use them.

deepin is committed to providing users around the world with beautiful, easy-to-use, secure and reliable Linux distributions, and while continuously improving the user experience, it has always prioritized operating system security. deepin will continue to improve its security capabilities, and consolidate the underlying operating system and application security foundation!

 

Content source: deepin community
Reprinted with attribution

Leave a Reply