The upstream xz repository and the xz tarballs have been backdoored

Well til now I didn’t give much about benchmarking. Times change. Doesn’t seem to be as useless as it seemed before.

I doubt it’s even possible, if those feds want to properly conceal their ip…delay is a must.

Exactly!

I think what all of this shows is that the Linux community needs to be vigilant.

3 Likes

yep

1 Like
  1. Red Hat Security Alert, https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
  2. CISA Alert, https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
  3. openSUSE Downgrade von xz, https://build.opensuse.org/request/show/1163302
  4. discussion https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
  5. backdoor in upstream xz/liblzma leading to ssh server compromise, https://www.openwall.com/lists/oss-security/2024/03/29/4
  6. CVE-2024-3094 - Redhat Customer Portal, https://access.redhat.com/security/cve/CVE-2024-3094
  7. CVE-2024-3094 PoC Exploration, https://github.com/amlweems/xzbot
  8. Backdoor found in xz package source, https://www.alpinelinux.org/posts/XZ-backdoor-CVE-2024-3094.html
  9. The xz package has been backdoored, https://archlinux.org/news/the-xz-package-has-been-backdoored/
  10. CVE-2024-3094 XZ Backdoor: All you need to know, https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
  11. YARA rule CVE-2024-3094, https://github.com/byinarie/CVE-2024-3094-info
  12. detection script CVE-2024-3094, https://github.com/cyclone-github/scripts
  13. CVE-2024-3094 Detector, https://github.com/jfrog/cve-2024-3094-tools
  14. openSUSE addresses supply chain attack against xz compression library, https://news.opensuse.org/2024/03/29/xz-backdoor

The information age…

7 Likes

https://news.ycombinator.com/item?id=39868682

Microsoft calls it a feature, not an issue.

3 Likes
2 Likes

This article about Notepad++ smells fishy. Usually you would read about the origin of the package, affected version or dates, mitigations, …

I feel bad for the guy who created “Everything I Know About the XZ Backdoor”. Dig in every single article for some useful info, that has xz word in it.

1 Like

DT had a take on it, too, of course.

2 Likes

i have same opinion as DT .Why first guy is a m$ dev reported that exploitation at the first place?i afraid that is deception of war to accept for m$ for being honest good guy?

1 Like

Maybe, just maybe, the guy actually found something bad and reported it? Even if it is true, why should I worry? Why should have this on my head alongside my own inner demons? I’m extremely sorry, but I would rather be a naive idiot than someone who is constantly thinking about how everybody wants to mess up each other.

3 Likes

He wasn’t acting on official m$ business, he reported it on his own. The fact he works for m$ is pretty irrelevant here, it seems.

4 Likes

It’s my conclusion. I’m not that confident! Only want you all awareness of deception. If I was wrong. I’m okay to be wrong. Never mind.

1 Like

okay,so pls tell me which his social.and his origin.

Someone=me? Constantly? That your conclusion. Okay, that what you think. I won’t argue anymore.to look like a villain to destroy your unity of your community.

1 Like

This is essentially just sealioning and does not contribute to the discussion in a constructive way.

You are the one with the crackpot theory; if you want people to take your conclusion seriously, then you should be the one presenting compelling evidence.

4 Likes

Look man, I wasn’t attacking you. If you feel attacked, you really shouldn’t feel. Quite frankly, I have had a horrible week and seeing the entire situation happening brought with it some self-doubts of my own beliefs in open source software and its nature. Analyzing the situation to this degree, for me, is very uncomfortable and I don’t think it is helpful for me to do such a thing in the situation I’m in currently. If you want to do so, go ahead. I’m not going to stop you, nor judge you for it. Just please understand that I’ve enough on my plate personally, with my own inner demons and dilemmas regarding this world, my place in it, my behavior here and elsewhere, and other things I don’t think you want to hear.

1 Like