Announcement

**EphemeralEft** · 01 April 2024, 07:10 PM

Originally posted by ptr1337 View Post

Thanks for posting Michael .

This was a quite unintended release, but due the xz CVE we decided to bring it.
Anyways, CachyOS and Arch doesnt seem to be affected at all, but better safe then sorry.

Why not ship an older version instead of trying to patch out the malware? If you or the researchers missed anything, it might still have serious vulnerabilities.

**reba** · 02 April 2024, 12:34 AM

Originally posted by EphemeralEft View Post

Why not ship an older version instead of trying to patch out the malware? If you or the researchers missed anything, it might still have serious vulnerabilities.

If they're not affected because the backdoor isn't included in the binary or their setup does not provide an entry point they can do whatever they want, because they are not affected. They build from source, they are not Debian/RedHat, they don't link with systemd.

**pWe00Iri3e7Z9lHOX2Qx** · 02 April 2024, 02:01 AM

Originally posted by ptr1337 View Post

We already support encrypted ZFS installs via LUKS since around 9 months.
We found an issue together with plymouth, when used with zfs encryption and will provide in the next hour a fix (this gets ondemand applied at the users online installation).

Currently via Calamares there is only a direct on root install possible, like with own disk/partition. We are planning to provide zfsbootmenu support in the CLI Installer.

Ahh, sorry I should have been more clear. I meant native ZFS encryption. I poked around with the Calamares installer a few weeks ago and noticed ZFS on root but no native encryption there. Super cool about ZFSBootMenu support in the CLI installer.

**qarium** · 02 April 2024, 01:01 PM

the XZ fiasco show that rolling distros like arch are really really dangerous.

the only people who can savely handle this is valve because they establish their own version system with their steam deck images.

(edit) i know Arch was not affected by the XZ fiasco but still i think rolling distros are dangerous.

**Quackdoc** · 02 April 2024, 01:13 PM

Originally posted by qarium View Post

the XZ fiasco show that rolling distros like arch are really really dangerous.

the only people who can savely handle this is valve because they establish their own version system with their steam deck images.

(edit) i know Arch was not affected by the XZ fiasco but still i think rolling distros are dangerous.

and yet without them, rolling/testing distros, it would not have been discovered

**ptr1337** · 02 April 2024, 01:19 PM

Originally posted by pWe00Iri3e7Z9lHOX2Qx View Post

Ahh, sorry I should have been more clear. I meant native ZFS encryption. I poked around with the Calamares installer a few weeks ago and noticed ZFS on root but no native encryption there. Super cool about ZFSBootMenu support in the CLI installer.

I need to correct. It does use native encryption, just checked when doing a test install:

Code:

2024-04-02 - 19:04:49 [6]: .. Running QList("zpool", "create", "-f", "-o", "ashift=12", "-o", "autotrim=on", "-O", "mountpoint=none", "-O", "acltype=posixacl", "-O", "atime=off", "-O", "relatime=off", "-O", "xattr=sa", "-O", "normalization=formD", "-O", "dnodesize=auto", "-O", "encryption=aes-256-gcm", "-O", "keyformat=passphrase", "zpcachyos", "/dev/disk/by-partuuid/8cee85ba-2bef-489a-9b30-63d20da38b76")

**qarium** · 02 April 2024, 01:41 PM

Originally posted by pWe00Iri3e7Z9lHOX2Qx View Post

I wouldn't say "very specific" in this case. The fact that they only cared about RPM and DEB build targets basically tells you they cared about all the enterprise distros (RHEL / SUSE / Ubuntu / Debian). It was a combination of timing / luck / one curious mind that avoided a total farking disaster several months down the line. One dude (employed by Microsoft) doing some micro-benchmarking.
Whoever these shitheads were, they even had Google's OSS-Fuzz project disabled ahead of time for XZ to try and make sure the fuzzer wouldn't pick up their changes.

"Whoever these shitheads were"

these people are the hacker group with the specification name "Magnet Goblin"

Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

https://www.bleepingcomputer.com/news/security/magnet-goblin-hackers-use-1-day-flaws-to-drop-custom-linux-malware/amp/

A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.

month before the xz case these people attacked me and other people here at the phoronix.com forum the forum user sophisticles places
links to injected webservers who then used CVEs on Firefox 119 and then a glibc CVE was used to get root access and then a logofail virus was installed in /boot/efi/logo.jpg

this "Magnet Goblin" Hacker group used a CVE in the Apache ActiveMQ to infect the webserver.

"CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893., Apache ActiveMQ"

to my information these people are connected to the Indymedia left-wing extremists means they are ADL's connected to Mossad in israel and ADL's in Ukraine. https://en.wikipedia.org/wiki/Anti-Defamation_League

these ADL's are connected to Bill Gates and other ADL's like him.

**qarium** · 02 April 2024, 01:56 PM

Originally posted by andyprough View Post

If XZ's backdoor is a fiasco, what should we call Chrome/chromium's 53 known zero-day exploited vulnerabilities that have been added to cisa.gov's catalog over the past 28 months since November 2021? What word is worse than 'fiasco'? A 'tragedy'?

absolutly right to me it shows or looks like its only a fiasco if other people from other countries or other sociological groups spy and use backdoor.

if the usa and any us based company like google build in a backdoor in google chrome then well of course its not a fiasco its business as usual...

XZ's is only a fiasco because it is the hacker group "Magnet Goblin" connected to ADL's in israel and ukraine. (Bill-Gates)

**qarium** · 02 April 2024, 02:01 PM

Originally posted by Quackdoc View Post

and yet without them, rolling/testing distros, it would not have been discovered

yes of course. but still non-expert users really should be warned about rolling release distros...

experts can do whatever they want of course.

**pWe00Iri3e7Z9lHOX2Qx** · 02 April 2024, 02:30 PM

Originally posted by qarium View Post

the XZ fiasco show that rolling distros like arch are really really dangerous.

the only people who can savely handle this is valve because they establish their own version system with their steam deck images.

(edit) i know Arch was not affected by the XZ fiasco but still i think rolling distros are dangerous.

The timing of finding the issue was basically pure luck by one awesome (Microsoft paid) developer. In a few weeks it would have been in Fedora 40 and the LTS Ubuntu 24.04 release. It also would have ended up in RHEL 10 had it it gone under the radar (and it easily could have). So I don't think fixed release or even LTS releases are magically invulnerable to supply chain attacks like this. On the other hand, having more users on the leading edge of new software gives you a much broader user base to find and report issues. I think Arch / Tumbleweed / Debian testing and unstable do good things for the broader ecosystem in this way. I wouldn't recommend any of these to a new user, but I'm glad they exist. I'm also glad the LTS type distros exist. One size doesn't fit all.

Announcement

CachyOS Making Use Of Plymouth For Better Boot Experience, Mitigates For XZ Fiasco

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment