Entware Backdoor in linux XZ utils on Linux distros.

[DJones]

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access - Phoronix

www.phoronix.com

Whomp whomp

*Doesn't appear to be incorporated into Asuswrt-Merlin. 5.4.6-1 xz is a entware however “Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.”

Earlier versions should be safe however xz utils upstream should not be trusted until further security research is done and the backdoor is patched.

 

[XIII]

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm ANALYGENCE, said in an online interview.

Backdoor found in widely used Linux utility breaks encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

arstechnica.com

 

[visortgw]

xz-utils 5.4.6-1 (pre-backdoor) is available in entware, but it is not installed on my router as part of amtm or a handful of 3rd-party scripts. You can verify on your own device via "opkg list-installed".

 

[Ripshod]

Not installed on mine either, even with all the scripts I've installed.

 

[RMerlin]

Neither Asuswrt-Merlin nor Entware are affected, different version.