xz utils Backdoor

[trekkie.forever 6]

Hello,

The recently discovered xz utils backdoor https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html

Is the AirVPN infrastructure susceptible to this?

Thanks.

[DogeX 6]

1 hour ago, trekkie.forever said:

Hello,

The recently discovered xz utils backdoor https://www.schneier.com/blog/archives/2024/04/xz-utils-backdoor.html

Is the AirVPN infrastructure susceptible to this?

Thanks.

probably not as the backdoor was pushed only in unstable version of some Linux distros, I doubt that Airvpn run on unstable distros

[OpenSourcerer 1363]

At most the OpenVPN over SSH connection method might be vulnerable. The vast majority uses OpenVPN or Wireguard directly, so the impact is very small.

[Staff 9767]

23 hours ago, trekkie.forever said:

Is the AirVPN infrastructure susceptible to this?

Hello!

No, it was not and it is not. Every and each machine runs on non-affected Operating Systems, typically FreeBSD and Debian 12. Debian 12 trivially is not affected because it does not include (in the official repositories we point at) the exploited xz versions 5.6.0 / 5.6.1 (and of course we did not build them from git) while in FreeBSD:

Quote

the backdoor components were excluded from the vendor import. Additionally, FreeBSD does not use the upstream's build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc

Gordon Tetlow, security officer, https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html).

Kind regards