Search
Items tagged with: cve
A couple things to think about here:
This appears to be a malicious maintainer - not a compromised account. Meaning the person themselves, coded this in an pushed it out.
So:
1) Did they try and backdoor any other code?
2) Are they part of a greater campaign or is anyone else helping them.
This is a massive breach of trust.
That said! Huge kudos to Andres Freund, Florian Weimer, and others in finding this.
A lot of eyes are on this now. CISA is involved. Major distros are involved, etc. Many eyes and such.
Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access., (Red Hat)