Skip to main content

Search

Items tagged with: xz


With regard to xz backdoor, did anyone actually have any idea this was going on? With all these vendors doing source code scanning, was there any indication of maliciousness?

#OSS #Security #SBOM #xz


🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!

I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec #xz


The #xz vulnerability really has me feeling good about not living on the bleeding edge. I'm sure there's still some risk of a terrible backdoor somewhere in Debian or Ubuntu that hasn't been found yet, but at least there's a much higher chance of someone catching it before it bites me.

Only thing of mine that was affected was my Termux installations on my Android devices, something I never use for SSH anyway.

#xz


A pretty interesting article loosely related to the #xz mess and it's cleanup process.
Reproducible builds, verifiable build chains. Lot of good stuff.

https://research.swtch.com/nih

#xz


So now that we all understand that thanklessly relying on free work of overworked maintainers is a problem, how about we put our money where our mouth is?

I think @AndresFreundTec needs a fat bonus check for saving our asses.

And Lasse Collin needs a lot of support, and probably a nice vacation.

I pledge $100, for starters.

Now how can we make sure to send the funds to the correct people?

Or is there already any fundraiser that I missed?

#liblzma #xz #ssh #security #oss #floss


Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
#xz


„GitHub Disables The XZ Repository Following Today's Malicious Disclosure“

#xz #GitHub #security

https://www.phoronix.com/news/GitHub-Disables-XZ-Repo


Is there concern for snaps or flatpaks? Checking my own stuff it looks like applications using bundled liblzma are running in the 5.2.* - 5.4.* versions, but if someone has a bleeding edge application running an affected version, what would the remediation be? Would uninstalling it be sufficient?

#snap #flatpak #linux #xz #liblzma


Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.

https://www.openwall.com/lists/oss-security/2024/03/29/4

This might even have been done on purpose by the upstream devs.

Developing story, please take with a grain of salt.

The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.

#liblzma #xz #lzma #backdoor #ITsecurity #OpenSSH #SSH