Arch isn't affected afaik, as it specifically targeted Debian and RPM. Also, sshd isn't linked against liblzma (or something along those lines). And I hope that's true, because otherwise, I had a backdoor on a public system for over a month.

[–] user224@lemmy.sdf.org 0 points 7 months ago* (last edited 7 months ago) (2 children)

And the packages on most distros should be long updated by now.

Even Termux updated to 5.6.1+really5.4.5 just 2 hours after Arch Linux.

[–] 30p87@feddit.de 0 points 7 months ago

I just updated all packages in Termux actually lol

[–] Pantherina@feddit.de 0 points 7 months ago (1 children)

very nice!

[–] user224@lemmy.sdf.org 0 points 7 months ago (1 children)

What package manager is that?

[–] Pantherina@feddit.de 0 points 7 months ago

Nala, Termux is Debian based and its pkg is basically apt

[–] wildbus8979@sh.itjust.works 0 points 7 months ago (1 children)

https://archlinux.org/news/the-xz-package-has-been-backdoored/

[–] 30p87@feddit.de 0 points 7 months ago

And as https://www.openwall.com/lists/oss-security/2024/03/29/4 says:

"These conditions include targeting only x86-64 linux: [...] Building with gcc and the gnu linker [...] Running as part of a debian or RPM package build:"

I'm not an expert of course.