-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path2024.04.01.html
More file actions
26 lines (25 loc) · 4.06 KB
/
Copy path2024.04.01.html
File metadata and controls
26 lines (25 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset='utf-8'>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="fediverse:creator" content="@AenBleidd@fosstodon.org"><meta name="description" content="Find more information about the liblzma vulnerability and its impact on BOINC."><meta name="keywords" content="BOINC, development, Vitalii Koshura, updates, information, liblzma, vulnerability"><meta propery="og:title" content="BOINC Release 8.0.0 and liblzma vulnerability"><meta propery="og:description" content="Find more information about the liblzma vulnerability and its impact on BOINC."><meta propery="og:type" content="website"><meta propery="og:url" content="https://aenbleidd.github.io/2024.04.01.html"><meta propery="og:image" content="https://aenbleidd.github.io/images/74f1822a50ba58c7.jpeg"><link rel="canonical" href="https://aenbleidd.github.io/2024.04.01.html"><title>BOINC Release 8.0.0 and liblzma vulnerability</title><link rel="icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" type="text/css" href="stylesheets/stylesheet.css" media="screen">
<link rel="stylesheet" type="text/css" href="stylesheets/github-dark.css" media="screen">
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-RB9QYE55Z3"></script>
<script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}gtag('js', new Date());gtag('config', 'G-RB9QYE55Z3');</script>
</head><body><header><div class="container"><h1>Vitalii Koshura: Maintaining BOINC / BOINC Release 8.0.0 and liblzma vulnerability</h1></div></header><div class="container"><aside id="menu"><ul id="menu_items"><li><a href = 'index.html'>Home</a></li><li><a href = 'blog.html'>Blog</a></li><li><a href = 'tutorials.html'>Tutorials</a></li></ul></aside><section id="main_content"><div id="blog_post_single"><p align="center">
<img src="images/74f1822a50ba58c7.jpeg" alt="xz inside photo"/>
</p>
<p>Recently it was discovered that liblzma - the popular library for data compression/decompression - contains a <a href="https://tukaani.org/xz-backdoor/">severe vulnerability</a>.</p>
<p>Unfortunately, BOINC 8.0.0, that is available for alpha testing, was built with the malicious 5.6.0 version of this library.</p>
<p>This is because liblzma is the dependency of libtiff that is a dependency of wxWidgets, that is used to build the GUI of BOINC Manager.</p>
<p>As far as we can see, this issue doesn't affect our users, since the target of this 'backdoor' is an sshd process, and BOINC doesn't work with it in any way. Just to highlight one more time: only BOINC Manager was built with this library, and BOINC client doesn't use this dependency at all. So we strongly believe that our users are completely safe while using BOINC version 8.0.0.</p>
<p>But since the analysis of this backdoor is not finished yet, we have decided to build another release 8.0.1 that downgrades the liblzma version to 5.4.4 that is completely safe. According to the available data, this backdoor works on Linux only, that is why BOINC 8.0.1 will be released for alpha testing for Linux only.</p>
<p>We will continue monitoring the situation, and if needed, will release 8.0.1 for other platforms as well.</p>
<p>Please use this page to find the instructions about using the <a href="https://boinc.berkeley.edu/linux_install.php">BOINC Linux packages</a>.</p>
<p>Thank you for understanding.</p>
<p align="center">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTmxMxc7mfxobQJF-0ygdqhtEvP6rfkL4VItg9GbJgxpp7pGr5wAmlJaW0nDPE73m3VHsWZf93GM4q6A5WStCBjia7TE_FVcSEaHndvu408IwdBbRiyfhFxQ0ZB-los2nG1PgapRWpVRs4XLWb1iWw3B5Vr5K_Xp8LtRN08Kivt1TN1vGrPCw8JYVbfoLM/w642-h362/maxime-GsuoClhxMDE-unsplash.jpg" alt="COVID-19 times: man and woman instead of handshake touch each other with their elbows"/>
</p></div><div id="previous_post_link"><a href="2024.03.18.html">Previous Post: Major BOINC version change</a></div></section><aside id="right_block" style="margin-left: 100px;"></aside></div><footer><div class="container"><p>Vitalii Koshura © 2026</p></div></footer></body></html>