xz Utils backdoor

[apmuthu]

Many of the LXC templates are in the xz format for PVE 6.x and PVE 7.x whilst the newer ones use .zst

https://arstechnica.com/security/20...tils-backdoor-that-almost-infected-the-world/

The above warns of xz Utils v5.6.0 and v5.6.1 being vulnerable to a backdoor.

 

[leesteken]

Many of the LXC templates are in the xz format for PVE 6.x and PVE 7.x whilst the newer ones use .zst

Either Proxmox saw this coming or they recognized the benefits of zstd, like sometimes better compression and a bigger team (more than one person) supporting it.

https://arstechnica.com/security/20...tils-backdoor-that-almost-infected-the-world/

The above warns of xz Utils v5.6.0 and v5.6.1 being vulnerable to a backdoor.

Luckily Debian 10/11/12 (stable) on which Proxmox is based always uses older versions. It's impossible to uninstall xz-utils because essential stuff depend on it.