home.social
Sign in Create account

#xzbackdoor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #xzbackdoor, aggregated by home.social.

  1. OOTS @[email protected] ·

    I had to deal a bit with the "Supply-chain Levels for Software Artifacts" (SLSA) "standard":
    slsa.dev/

    IMO it's a joke, since they do not properly deal with threats from "Includ[ing] a vulnerable dependency (library, base image, bundled file, etc.)". They essentially say "A future version of this standard might deal with that":
    slsa.dev/spec/v1.2/threats

    This has been the main entry point of the past supply chain attacks (XZ backdoor, litellm, Shai-Hulud, ...). A supply-chain security standard that doesn't properly deal with vulnerabilities in dependencies completely misses the point. It's like installing alarms on your windows (to catch burglars trying to enter your home through the windows) when your front door doesn't have a lock.

    #SLSA #supplychain #supplychainsecurity #xzbackdoor #ShaiHulud #litellm

    #slsa #supplychain #supplychainsecurity #xzbackdoor #shaihulud #litellm
  2. AJ Jordan @[email protected] ·

    liblzma.so/ I made a thing. impulse control is for suckers

    #xzutils #xzbackdoor

    #xzutils #xzbackdoor
  3. jan Anja(); @[email protected] ·

    Lasse Collin (the developer of xz-utils) has found out how to accept donations without breaking the Finnish money collection law:
    github.com/tukaani-project/xz/

    He has created an account on #LiberaPay with a restriction to not accept donations from Finns or people living in Finland:
    liberapay.com/Larhzu/

    #OpenSource #XZBackdoor #XZUtils #XZ

    #liberapay #opensource #xzbackdoor #xzutils #xz
  4. Marcel Waldvogel @[email protected] ·

    Was wissen wir eigentlich über «Jia Tan»? Ich habe mich mal auf eine Spurensuche begeben. Und dabei herausgefunden, dass man mit der Sicherheitslücke wohl mehrere Milliarden hätte verdienen können.

    Ich nehme euch gerne mit auf diese Reise und die Schlussfolgerungen, die sich daraus ergeben.
    #JiaTan #xz #Backdoor #xzBackdoor #DNIP
    dnip.ch/2024/05/14/spurensuche

    #jiatan #xz #backdoor #xzbackdoor #dnip
  5. Linux Magazine @linuxmagazine ·

    Did you miss last week's Linux Update newsletter? Read it now and subscribe to get it free every week mailchi.mp/linux-magazine.com/

    #dns #security #hijacking #canonical #lts #vulnerability
  6. Puppet Community Team :fedi: @[email protected] ·

    Happy (very punctual) #FiveMinuteFriday. Today we're talking about some changes we are making in light of the #XZBackdoor. tldr; the Trusted Contributors program will be doing a bit more #TrustButVerify. Read more about Trusted Contributors at puppet.com/ecosystem/contribut or download the scanner module at forge.puppet.com/puppetlabs/xz and check your infrastructure today.

    #fiveminutefriday #xzbackdoor #trustbutverify
  7. Puppet Community Team :fedi: @puppet ·

    Happy (very punctual) . Today we're talking about some changes we are making in light of the . tldr; the Trusted Contributors program will be doing a bit more . Read more about Trusted Contributors at puppet.com/ecosystem/contribut or download the scanner module at forge.puppet.com/puppetlabs/xz and check your infrastructure today.

    #fiveminutefriday #xzbackdoor #trustbutverify
  8. Christina Warren @[email protected] ·

    Latest episode of The Download is out, this one covers all the #xzBackdoor news, updates on GitHub Copilot for the CLI, big new releases from #Bun and #Babylonjs and of course, Beyoncé youtube.com/watch?v=TrqiT_a8zg

    #xzbackdoor #bun #babylonjs
  9. Axel 🚴😷🐧🐪⌨ | #WeAreNatenom @[email protected] ·

    Yay, #Debian reduces #OpenSSH dependencies (in Debian Unstable for now) and removes #libsystemd dependency.

    openssh (1:9.7p1-4) unstable; urgency=medium

    * Rework systemd readiness notification and socket activation patches to not link against libsystemd (the former via an upstream patch).
    * […]

    Thanks @cjwatson!

    (via tracker.debian.org/news/151654)

    #xz #xzbackdoor #xzorcist #JiaT75 #systemd #AttackSurfaceReduction

    #debian #openssh #libsystemd #xz #xzbackdoor #xzorcist
  10. Chuso Pérez @chuso ·

    Do you remember when AT&T rolled back the ksh repository to a version 8 years old dismissing all the changes made in the last years by contributors?
    Maybe we can do the same with the last two years of xz-utils?

    #xz #xzbackdoor #jiatan #jiat75 #justjoking
  11. dwagenk @[email protected] ·

    So if I Interpret the data correctly then #yocto / #openEmbedded based Linux systems are not vulnerable to the #xzbackdoor due to not updating very quick. xz is at version 5.4.6 in the openembedded-core layer.

    I don't see anything that would have prevented being vulnerable though, the openembedded-core layer does
    - contain the libsystemd patch and thus pulls in xz when building a systemd enabled distro
    - uses the release-tarballs of xz

    #yocto #openembedded #xzbackdoor
  12. Axel 🚴😷🐧🐪⌨ | #WeAreNatenom @[email protected] ·

    @Aaron: Oh, and the now infamous "Simplify SECURITY.md" commit by #JiaT75 is now also in that repo: git.tukaani.org/?p=xz.git;a=co

    So it's up to date with Github again (and now ahead of it). #xz #xzorcist #xzbackdoor

    #jiat75 #xz #xzorcist #xzbackdoor
  13. Axel 🚴😷🐧🐪⌨ | #WeAreNatenom @[email protected] ·

    @joeyh: There still seems a week-old copy on git.tukaani.org/?p=xz.git;a=su #xz #JiaT75 #xzbackdoor

    The latest change I remember (the infamous "simplification of SECURITY.md") is not in there, though, so it seems not up to date.

    #xz #jiat75 #xzbackdoor