Malicious code was pushed to the libxz-utils project that introduced a backdoor in SSH. Here's how to find potentially vulnerable systems.
Hi, tl;dr OpenWrt seems to be not affected by the CVE-2024-3094 As you may be aware, malicious code was identified in the xz upstream tarballs starting from version 5.6.0. The development snapshots of OpenWrt were utilizing this compromised library version. Fortunately, the snapshots builds relied on source code tarballs from GitHub releases, which are generated automatically. These contained only the dormant segment of the malicious code. The crucial component that would activate the backdoo...
Imagine an indie Open Source contingent thriving alongside our corporations and governments.
644 strangers in your package.json. The XZ backdoor was caught by one engineer noticing half a second of latency. Next time it might be 50 milliseconds. Next time it might be no perceptible drift at all.
Many discussions about open source dependencies and maintenance happened in the last month.Two posts caught my eye in the Rust ecosystem: Sudo-rs dependencie...
Heisenberg’s indeterminacy principle formula. Two weeks of links, which includes a collection from the xz debacle. I loved reading these, as this is a good combination of spy story and technology postmortem. If you want to read an overview, read the timeline post. Good podcasts this week: about the Heisenberg principle, and the silencing of climate protesters in the UK. Leadership Getting real with Employee Experience [Podcast] - two good interviews with people active in the area.
Nice writeup from Russ Cox on the (incredibly long) timeline of the XZ backdoor
Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).
I would have gotten away with it too, if it weren't for you meddling Microsoft developers!
Hi again, everyone. We’ve got a big update for you, and we could use your help testing things out. If you just want to test the cooldowns beta, you can jump straight to the cooldown docs. The rest of this post has updates from the team, as well as more background on why we built cooldowns in the first place.
apt install -t unstable, but make it your whole personality
xz-utils backdoor situation (CVE-2024-3094). GitHub Gist: instantly share code, notes, and snippets.
Open source software projects are frequently enmeshed with the interests of corporations. We should update mental models of who works on open source accordingly, and build or modify power structures to be more resilient to corporate capture.
A malicious backdoor was discovered in xz library that implements LZMA compression. xz, among many other places, is used, indirectly, in sshd. My attempt to explain what happened.