• 3 Posts
  • 3 Comments
Joined 9 months ago
cake
Cake day: January 2nd, 2024

help-circle

  • You could probably fit something inside the chassis, but why? It doesn’t have standard mounting hardware for any ATX form factor, you’ll need to source a slim PSU, and at the end of the day, without a ton of effort to make the build work, and additional thought put into the cooling (etc) you’re going to destroy a working console for a pretty average result with a lot of trade-offs.

    TL;DR, bad idea. You can do better.


  • TL;DR don’t worry (for now) - it only impacts rpm and deb builds and impacted releases only really made it into OpenSuSe tumbleweed - if you’re running bleeding edge maybe you need to worry a little.

    A laymans explanation about what happens is that the malicious package uses an indirect linkage (via systemd) to openssh and overrides a crypto function which either:

    • allows access to the system to a particular key
    • allows remote code execution with a particular key

    Or both!

    I have secondhand info that privately the reverse engineering is more advanced, but nobody wants to lead with bad info.

    As for what you should do? Unless you’re running an rpm or deb based distro and you have version 5.6.0 or 5.6.1 of xz-utils installed, not much. If you are, well, that comes down to your threat model and paranoia level: either upgrade (downgrade) the package to a non-vulnerable version or dust off and nuke the site from orbit; it’s the only way to be sure.