Security question about upstream

The Register is running an article as linked above. I noticed an update on Zorin 16.3 Lite to SSH come through recently. What action to take if any?

2 Likes

This doesn't affect SSH. It's related specifically to the package liblzma5 version 5.6.0 or higher. Zorin OS 17.1 uses version 5.2.5, so it's not affected by this.

Another example of how newer is not always better.

3 Likes

I am also wondering about this. Checking the version of xz it appears to be on 5.2.5, and trying to upgrade the version it does not go up from this version - I am not an expert enough to know if it would be possible to manually upgrade to a newer version. Nonetheless the version that the security issue was on is 5.6.0 and 5.6.1 so in theory (if all zorin versions use 5.2.5) then Zorin shouldn't be impacted. However I did see somewhere that the person who contributed the backdoor to xz had apparently been working on the project "for years" (Backdoor in upstream xz/liblzma leading to SSH server compromise | Hacker News) so I'm not sure - I don't know how how old 5.2.5 is.

1 Like

Latest changelog for this particular version in Ubuntu repositories was published on April, 2022.

It's possible the vulnerability affects older versions than what is being reported, and has simply gone undetected. But there's not much point in taking action without knowing that is the case, either.

In a distribution like Zorin OS it's not always feasible to do this. The reason is that packages have dependencies (other packages they rely on to work), and a mismatch in package versions can cause issues. In this case in particular, one of the dependencies is libc6 which is a critical system library, so it's quite an important one. Upgrading (or downgrading) this version will surely cause issues with other packages.

However, looking at liblzma5 version 5.4.1 it has the same dependency of libc6 at version 2.34 which is the same as 5.2.5 used in Zorin OS 17. So, in theory, it should work without issues. But as you pointed out, this version is not yet available on the official repositories (that's different story); you can still download it from other sources or compile it yourself if you really want to.

In my opinion, unless you have good reason to do this, just leave it be as it's probably not worth the effort.

2 Likes

fossfreedom , Ubuntu Budgie team member wrote this on the development release thread.

Also there is an emergency due to this security issue oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise - devs are working the easter break to resolve. Expect more fixes here.

3 Likes