How can I verify what version I have of xz? What are the commands to check all this?
in a terminal window .....
xz --version
2 Likes
Just for clarity if anyone else is interested, the affected versions are 5.6 upwards.
Zorin is using an earlier version, 5.2.5 (and so is my KDE neonuser OS).
https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
I even found a web page to check files if they are vulnerable to xz malware. But it is hard what to look for. I opened Konsole (Terminal) in KDE neon and searched for xz files. I could not readily recognise which were the type of files affected. Some dragged were not xz files, others that were, were clean.
A fix was released April 1st for affected operating systems in the Ubuntu family.
There are plenty of resources online about this thread that look into it with some detail, but I found this to be an interesting one:
1 Like
i was annoying of zorin,because it not uses the last version of ubuntu, but it seems that it is advantage and that safe zorin from that vulnerability
A lot of people suffer from Shinny New Stuff Syndrome. They think they need the latest version of, well, whatever: software, phone, clothes, etc... When the need is real, I'd rather put in the extra effort to work around this than exposing myself to sudden, breaking changes and security vulnerabilities.
Debian and other distributions that follow this release model are not invulnerable. In fact, it was pure luck that this backdoor didn't make it into the stable repositories, as it could've gone unnoticed for who knows how much longer... but it's an excellent example of how newer does not mean better.
3 Likes
Also avoid media FUD as a distraction from what is really failing, Microsoft:
1 Like