#xzorcist — Public Fediverse posts

At #oSC24, the @SUSE security team gives a report about #xzorcist.

Yay, #Debian reduces #OpenSSH dependencies (in Debian Unstable for now) and removes #libsystemd dependency.

openssh (1:9.7p1-4) unstable; urgency=medium

* Rework systemd readiness notification and socket activation patches to not link against libsystemd (the former via an upstream patch).
* […]

Thanks @cjwatson!

(via https://tracker.debian.org/news/1516548/accepted-openssh-197p1-4-source-into-unstable/)

#xz #xzbackdoor #xzorcist #JiaT75 #systemd #AttackSurfaceReduction

Perhaps the long con is an even longer con in which an attacker attempts to drive many #infosec people into burnouts over time by hiding malware in packages that are then discovered just before holiday weekends.

#xz #xzbackdoor #xzorcist #cve20243094

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will *try* to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

@argv_minus_one

Compliance Officers: „Maintainer, who does not owe me anything, I need you to fill out this form and take responsibility!“

Salespeople: „My product solves this and any other problem in cybersecurity. With a premium sub you can also end world hunger.“

LinkedIn Influencers: „The end is nigh! This time I’m sure!“

#xzbackdoor #xz #xzorcist #cve20243094

@Aaron: Oh, and the now infamous "Simplify SECURITY.md" commit by #JiaT75 is now also in that repo: https://git.tukaani.org/?p=xz.git;a=commit;h=af071ef7702debef4f1d324616a0137a5001c14c

So it's up to date with Github again (and now ahead of it). #xz #xzorcist #xzbackdoor

@vaurora: In this case it was rather "not enough people involved" istead of "too many involved": See #busfactor and https://xkcd.com/2347 #xkcd2347

This was only possible because the original maintainer did that work alone and seems to have been close to a #burnout and urgently needed someone to step in. So it was easy to get the co-maintainer position without long-time #trust being involved.

#JiaT75 #xzorcist #xz #FLOSS

@vaurora: In this case it was rather "not enough people involved" istead of "too many involved": See #busfactor and https://xkcd.com/2347 #xkcd2347

This was only possible because the original maintainer did that work alone and seems to have been close to a #burnout and urgently needed someone to step in. So it was easy to get the co-maintainer position without long-time #trust being involved.

#JiaT75 #xzorcist #xz #FLOSS

@vaurora: In this case it was rather "not enough people involved" istead of "too many involved": See #busfactor and https://xkcd.com/2347 #xkcd2347

This was only possible because the original maintainer did that work alone and seems to have been close to a #burnout and urgently needed someone to step in. So it was easy to get the co-maintainer position without long-time #trust being involved.

#JiaT75 #xzorcist #xz #FLOSS