If your Linux installation has the "xz" utility installed make sure to update your system and keep an eye on things, it has had a security backdoor installed for a while:
The xz package, starting from version 5.6.0 to
5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates.
If you would like to be sure that you are up to date and not affected by this vulnerability, you can do the following to upgrade your local version of the package: sudo apt update && sudo apt install -only-upgrade liblzma5
Пакет xz, начиная с версии 5.6.0 до
5.6.1 содержал бэкдор. Влияние этой уязвимости затронуло Kali Linux в период с 26 по 29 марта. Если вы обновили установку Kali 26 марта или позже, крайне важно установить последние обновления.
Если вы хотите быть уверены, что у вас установлена последняя версия пакета и что вы не подвержены этой уязвимости, вы можете сделать следующее, чтобы обновить локальную версию пакета: sudo apt update && sudo apt install -only-upgrade liblzma5
Бэкдор присутствовал в официальных выпусках xz 5.6.0 и 5.6.1, опубликованных 24 февраля и 9 марта, которые успели попасть в состав некоторых дистрибутивов и репозиториев, например, Gentoo, Arch Linux, Debian sid/unstable, Fedora Rawhide и 40-beta, openSUSE factory и tumbleweed, LibreELEC, Alpine edge, Solus, CRUX, Cygwin, NixOS unstable, OpenIndiana, OpenMandriva rolling, pkgsrc current, Slackware current, Manjaro testing. Всем пользователям выпусков xz 5.6.0 и 5.6.1 рекомендуется срочно откатиться на версию 5.4.6.
Версия liblzma c бэкдором не успела войти в состав стабильных выпусков крупных дистрибутивов, но затронула openSUSE Tumbleweed и Fedora 40-beta. Arch Linux и Gentoo использовали уязвимую версию xz, но не подвержены атаке, так как не применяют к openssh патч для поддержки systemd-notify, приводящий к связыванию sshd к liblzma. Бэкдор затрагивает только системы x86_64 на базе ядра Linux и Си-библиотеки Glibc.
Всё самое интересное опять случилось ночью, пока вы спали.
Интернет штормит на 10 из 10 по CVE: скомпрометированы примерно все ssh сервера на debian-like, через подломленный репозиторий xz и библиотечку liblzma.
А как так, спросишь ты? openssh никак не используется liblzma. Но есть нюанс: шапка, федора и прочие дебианы патчат openssh для совместимости c нотификациями systemd и вот такая вот петрушка.
Автор кода, молодец каких поискать надо. Мало того что придумал как скомпрометировать проект через тест(то есть код xz чистый и до компиляции всё чинно-благородно), так говорят что он ещё и известный oss-fuzz отучил детектить своё нововведение.
Security researchers find a way to unlock millions of hotel rooms, the UK introduces cyberflashing laws, and Google’s AI search pushes malware and scams.
Hackers have discovered a hardware vulnerability in Apple's M series processors that could allow encryption keys to be extracted. Software-based mitigation would probably degrade performance, but the vulnerability is very hard to exploit. https://buff.ly/4cCBCy6#Vulnerability#Security#AppleSilicon#Apple#GoFetch
I've been off of social media for almost a month recovering from a concussion.
I always talk about how important it is to care for community members in this #CapitalistHellscape. I've always been someone who loves caring for people. However, in practice, I struggled to ask for and accept help and care. Part of that is my socialization and lived experience as a cis woman. The other part is the #InternalizedAbelism we all deal with. I've done a lot of work dismantling this inside myself - but alas, it persists.
I often found myself feeling guilty and shameful for needing help. I tended towards not even asking and making assumptions about my loved ones' capacity and desire to help me. I've known this for a long time and been working on it, but it was so easy to fall back into old patterns.
While talking with a friend a few days ago, I mentioned I wanted to see my other close friend but didn't want to ask her to drive an hour to see me because I didn't want to stress her out. Rightfully, my friend called me out and told me it isn't fair to make assumptions about what my loved ones may or may not want to do, and I need to trust people to make those decisions for themselves.
That conversation and my recovery (still ongoing) have served as an important reminder that asking for help requires becoming comfortable with feeling vulnerable, and naturally, under #Capitalism , many of us have internalized the lie that vulnerability is weakness. Like any muscle you want to build, becoming comfortable with being vulnerable takes practice. It feels strange and somewhat painful at first, but when people show up for you, it's not as hard every time you practice it.
Anyway, this is your reminder that caring for others tends to be easier than asking for and accepting care ourselves. Practice being vulnerability with your loved ones. People can't show up for you if you don't give them the chance.
In these days of #LetItRip , where #Covid is allowed to continue to spread unchecked, where #Palestinians are killed everyday in a livestreamed #Genocide ,we can't afford to allow the way things are to harden us.
Stay soft. Practice #RadicalCompassion and #Vulnerability. Remember that the internal work of dismantling all the bullshit capitalism ingrains within us is always ongoing.
♡
See yall soon. I'm still recovering, but making small progress every day thanks to my lovely partner and friends.
Python is a memory-safe programming language that eliminates an entire class of software vulnerabilities 🐍🛡️ Adoption of memory-safe systems languages like #Rust continues to grow in the #Python package ecosystem 🦀
Let’s be clear on this.sloppy and incompetent implementation has made these vehicles vulnerable.
Expensive cars, frequently sold on perception of value maintain their margins with cheap components and frequently sloppy engineering. Reliability records demonstrate this.
The technical press have been demonstrating this for more than 5 years.
🚨 Patch alert! #ConnectWise has released security updates to address critical RCE #vulnerability in its ScreenConnect remote desktop and access software.
Timo Longin @login introduces SMTP smuggling, a novel technique to spoof fully SPF-validated emails from various popular domains including @microsoft.com.
Wow. It's incredible nobody found this before. It's the first of its kind. Probably not the last...!
🛑 #Ubuntu users, beware! Hackers can exploit a #vulnerability in the command-not-found utility to recommend and trick you into installing rogue packages via snap repositories.