In the latest liblzma update, a trusted bad actor called 'JiaT75' implemented a backdoor which allows RCE (sending calls to system()) on ssh connections. Here I'm looking into the case and explaining how it works.
Links:
AndresFreundTec on Mastodon: mastodon.socia...
openwall email: www.openwall.c...
debian repo: salsa.debian.o...
Filippo Valsorda on bsky: bsky.app/profi...
5 окт 2024