MikeTelahun , to random
@MikeTelahun@mastodon.online avatar

To everyone losing their shit over the xz/liblzma debacle: This is how Open Source is supposed to work: many eyes looking over work-in-progress to make sure it works as intended. Sometimes it’s reviewing source code commits and other times it’s looking over the behavior of pre-release software, noticing anomalous behavior and chasing down the commit that caused it. This is preciselywhy we have debian-testing and FreeBSD-Current. If anything this is validation that Open Source works

joeyh , to random
@joeyh@hachyderm.io avatar

Github has disabled the https://github.com/tukaani-project/xz repository

That seems a bit of a problem for everyone who needs to understand the past activity there in order to fully address the backdoor. Sheesh

I have a clone from today if anyone needs it.

swelljoe , to random
@swelljoe@mas.to avatar

Does everyone understand how much luck was involved in this exploit in being discovered so quickly? And, what it tells us about the attacker?

This was a subtle and sophisticated attack implemented over years. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too.

jwildeboer , to random
@jwildeboer@social.wildeboer.net avatar

TL;DR has been backdoored in 5.6.0 and 5.6.1. While Fedora Rawhide and Fedora 41 packages are affected, Red Hat Enterprise Linux is NOT affected. Updates (well, technically downgrades to 5.4.x) for Fedora are being made available through the regular update channels. Our Security Alert explains more details. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Check if your machine is affected: run xz --version and see if it returns 5.6.0 or 5.6.1. If it shows a lower version, you are safe, as far as we can see now.

archlinux , to random
@archlinux@fosstodon.org avatar

Upgrade your systems now!

The xz package has been backdoored

https://archlinux.org/news/the-xz-package-has-been-backdoored/

scy , to random
@scy@chaos.social avatar

Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

https://www.openwall.com/lists/oss-security/2024/03/29/4

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

Foxboron , to random
@Foxboron@chaos.social avatar

Distributed tarballs of xz has been backdoored.

https://www.openwall.com/lists/oss-security/2024/03/29/4

gertvdijk , to random
@gertvdijk@mastodon.social avatar

Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆


https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4

senficon , to random
@senficon@ohai.social avatar

Lasse Collin has posted an update on his plans for and clearing up what happened: https://tukaani.org/xz-backdoor/ I hope he’s met with all the support and patience he needs.

hrefna , to random
@hrefna@hachyderm.io avatar

This is another reason I'm hesitant to look to blame and would rather evaluate the cascade.

Who should we blame?

Who should act?

It's easy to say what "those people over there" should be doing. It is hard to say "what can I do."

It's easy to say "everyone should just…" it's much harder to figure out how to get "everyone" to do just that.


https://infosec.exchange/@mariuxdeangelo/112201554719681666

hrefna , to random
@hrefna@hachyderm.io avatar

Whatabboutism takes with respect to the backdoor ain't it, mate.

Xenograg , (edited ) to random
@Xenograg@dice.camp avatar

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •