Unveiling the xz Utils Backdoor which deliberately opens our SSH connections for RCAs
https://lemdro.id/post/7519386
=> More informations about this toot | More toots from mfat@lemdro.id
Thanks for the pointer.
This is really huge, but people don’t quite understand that yet.
If this wasn’t caught, every system -running public sshd- could be hacked or abused/misused.
And I completely agree with the last words, corporate should pay foss projects!
=> More informations about this toot | More toots from BOFH666@lemmy.world
Even paid it might be hard to find maintainers with knowledge of the code
=> More informations about this toot | More toots from SMillerNL@lemmy.world
imgs.xkcd.com/comics/dependency_2x.png
=> More informations about this toot | More toots from p03locke@lemmy.dbzer0.com
Anyone got a link for this topic that isn’t a video?
=> More informations about this toot | More toots from tsonfeir@lemm.ee
tukaani.org/xz-backdoor/
Check the links on that page.
=> More informations about this toot | More toots from BOFH666@lemmy.world
Good explainer, if you need to catch up like I did:
en.m.wikipedia.org/wiki/XZ_Utils
Read the supply chain attack section.
Also, from the video…
X is losing its action! We LIKE!
Hell yeah we like.
=> More informations about this toot | More toots from perishthethought@lemm.ee
So if I have been using arch to with infected xz library to connect to a Debian LTS server, am I compromised?
=> More informations about this toot | More toots from youngGoku@lemmy.world
Assume yes until you can prove otherwise.
=> More informations about this toot | More toots from cybersandwich@lemmy.world
From what I’ve read both arch and debian stable aren’t vulnerable to this. It targeted mostly debian-testing.
=> More informations about this toot | More toots from TwiddleTwaddle@lemmy.blahaj.zone
As I heard it - the (naughty) build tooling looked for rpm and deb, and bailed out if they were absent.
=> More informations about this toot | More toots from rotopenguin@infosec.pub
Arch stable had it apprently, but thats not the commonly used version of arch.
=> More informations about this toot | More toots from mosiacmango@lemm.ee
Arch put out a statement saying users should update to a non infected binary even though it doesn’t appear to affect Arch archlinux.org/…/the-xz-package-has-been-backdoore…
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
=> More informations about this toot | More toots from Irate1013@lemmy.ml
I would pay attention to the news
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
That thumbnail is something else
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
I need the IASIP meme for this thumbnail
=> More informations about this toot | More toots from j4yt33@feddit.de
For all those wanting to know what version of the xz package you have, DO NOT use “xz -V” or “xz --version”. Ask your package manager instead; e.g. “apt info xz-utils”. Executing a potentially malicious binary IS NOT a good idea, so ask your package manager instead.
=> More informations about this toot | More toots from mudle@lemmy.ml This content has been proxied by September (ba2dc).Proxy Information
text/gemini