The Register is running an article as linked above. I noticed an update on Zorin 16.3 Lite to SSH come through recently. What action to take if any?
This doesn't affect SSH. It's related specifically to the package liblzma5 version 5.6.0 or higher. Zorin OS 17.1 uses version 5.2.5, so it's not affected by this.
Another example of how newer is not always better.
3 Likes
Latest changelog for this particular version in Ubuntu repositories was published on April, 2022.
It's possible the vulnerability affects older versions than what is being reported, and has simply gone undetected. But there's not much point in taking action without knowing that is the case, either.
In a distribution like Zorin OS it's not always feasible to do this. The reason is that packages have dependencies (other packages they rely on to work), and a mismatch in package versions can cause issues. In this case in particular, one of the dependencies is libc6 which is a critical system library, so it's quite an important one. Upgrading (or downgrading) this version will surely cause issues with other packages.
However, looking at liblzma5 version 5.4.1 it has the same dependency of libc6 at version 2.34 which is the same as 5.2.5 used in Zorin OS 17. So, in theory, it should work without issues. But as you pointed out, this version is not yet available on the official repositories (that's different story); you can still download it from other sources or compile it yourself if you really want to.
In my opinion, unless you have good reason to do this, just leave it be as it's probably not worth the effort.
2 Likes
fossfreedom , Ubuntu Budgie team member wrote this on the development release thread.
Also there is an emergency due to this security issue oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise - devs are working the easter break to resolve. Expect more fixes here.
3 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.