Would my main PC with Devuan Ceres Xfce with runit instead of systemd be affected? Would this kind of exploit be possible without systemd?

I'm afraid it's a lot more sinister than that. This exploit code has been gradually introduced and refined in the repository over the course of at least a year.

The issue is that the SSHD builds on many distros link to libsystemd, which in turn links to liblzma. This can be exploited to get SSHD to run evil code that's been carefully hidden in liblzma…

I can say for sure (having worked for big companies) that they don't review everything. Consider something like pulling a new version of LLVM or Boost. No one at Google sits down and check every single changed line, it would be infeasible. You review new dependencies, sure. Depending on the company you may sit down and review it line by line, but probably not for a big dependency. Also code review doesn't catch everything (otherwise we wouldn't have bugs in general).

So yeah your comment is a load of bullshit (as usual).

1. Whataboutism
2. Show me backdoors in Windows, I dare you.

Nice hearsay. Show me a CVE, please. The fact that some leaked slides stated that Outlook might have been backdoored doesn't mean its public releases ever were.

Microsoft is a $2 trillion company with 2 billion customers and has a reputation to keep. Random Linux distros often created by people with no credentials and zero information have nothing to keep.

There's no update, bodhi has zero info on it. It's not been pushed.

The only workaround right now is

which I've already done.

According to the vast majority of open source fans, Linux is a lot more secure than Windows because it's open source.

I'm pretty sure aside from a minor public apology and some reverts, nothing else will be done and everything will be business as usual while hackers will try to infiltrate other open source projects (if it's not already been done which is impossible to say).

Except they do.

Except LLVM and GCC include developers from Apple, Microsoft, Google, Intel, AMD and RedHat.

Good luck trying to push a malicious commit to either of these compilers. BS is on you, not me.

I get it Linux is very close to your heart but it would be nice if you admitted what I wrote about is kinda true even it it doesn't sound pretty or you're welcome to show backdoors in software products made by major corporations such as MS, Google or Apple. Good luck with that.

There has a been a lot of BS in this discussion about backdoors in closed source software but no one has been able to demonstrate those aside from an article in The Register which doesn't talk about an actual incident but about leaked slides.

Better yet, show me ANY managed service that has issued a CVE

CVEs are generally reserved for software you would run yourself on your hardware, not something that Microsoft backdoored for the NSA that they run on their own servers.

But there are CVEs for issues with customer hardware/software, like for Cisco firewalls, that had "vulnerabilities" for many years that likely were intentionally added for the NSA, adding them as "vulnerabilities" instead of obvious backdoors, when the binaries are inspectable, allows for plausible deniability.

This XZ malware has been assigned a CVE. And no CVEs for Outlook, right? Great! Only an article in the Register and zero info on any other reputable source, including Microsoft? Great!

Cisco is not on the list of companies that I've mentioned specifically now three times.

Keep on digging. Just please don't try to make shit up, so far you've been doing just that.

BTW, US authorities have not been able to demonstrate a single backdoor in Huawei network equipment and they banned the company regardless. See? I'm also good at whataboutism.

Talk facts, please.

I'll hold your beer. https://arstechnica.com/security/202...dware-feature/

Again, as I stated earlier, unpatched vulns all leading to a backdoor. Denial ain't just a river in Egypt son.

The article talks about an unpatched vulnerability. How is this relevant at all to this discussion? You're now person N10 in this discussion who says "But what about?" This is not an argument, OK?

We're now discussing malware/backdoor distributed by Linux distros.

BTW it's not limited to Fedora 40, Fedora Rawhide and Debian SID. It's found its way to Arch Linux, NixOS unstable, Gentoo, OpenSuse factory/tumbleweed, LibreELEC, AlpineEdge, Solus, NixOS unstable, OpenIndiana, Mandriva rolling, Slackware current, Manjaro testing, pkgsrc current. A lovely list.

Many eyes check the code, they said. No way malware can be pushed and distributed, they said.

Most people here don't even realize the gravity of the situation.

if you're on fedora run `sudo dnf downgrade xz`.
Should put it to the oldest version available for your repo