jotbe, 1 month ago to security

Putting an xz Backdoor Payload in a Valid RSA Key | rya.nc

https://rya.nc/xz-valid-n.html

#xz #cve20243094 #security #backdoor #rsa #ssh #rr

popey, 1 month ago to ubuntu

[Announcement] "Xz/liblzma security update (post #2)" from the Ubuntu developers regarding #cve20243094

https://discourse.ubuntu.com/t/xz-liblzma-security-update-post-2/43801?u=popey

#ubuntu #linux #xz

jbzfn, 1 month ago to debian

🍥 Debian Decided to Postpone the 12.6 Release | Linuxiac

「 Without a doubt, the deliberate infiltration of backdoored upstream XZ tarballs into the Debian sid repository a few days ago, allowing remote SSH access without authentication, sparked a real storm in the Linux community 」

#XZ #Backdoor #Debian #Linux #Cybersecurity #Opensource #CVE20243094

https://linuxiac.com/debian-decided-to-postpone-the-12-6-release/

jomo, 1 month ago (edited 1 month ago) to random

Nice! @amlw wrote a PoC exploit and a honeypot for the xz backdoor.

https://github.com/amlweems/xzbot

#xz #liblzma #cve20243094 #infosec

jwildeboer, 1 month ago to random

#JustInCase I have mirrored @thesamesam gist at https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 (the xz backdoor/exploit FAQ) locally and on https://codeberg.org/jwildeboer/gists/src/branch/main/20240401CVE20243094FAQMirror.md Will setup some sort of automatic update script later. I don't think Github will somehow interfere with this FAQ, but hey, better safe than sorry and stuff :)

This is just a FYI. Please do NOT use my manual mirror of the FAQ and bookmark ONLY the original source.

#CVE20243094 #xz #liblzma #backdoor

forgejo, 1 month ago to random

Hello #Forgejo admins,

We've published a post regarding the impact of the xz backdoor (CVE-2024-3094) on the Forgejo project.
https://forgejo.org/2024-03-xz/

#xz #cve20243094

shellsharks, 1 month ago to infosec

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will try to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

jwf, 1 month ago to linux

Most of my feed on the #xzorcist #xz mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.

I am not seeing something else though. Has anyone actually asked the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"

Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.

#Linux #OpenSource #infosec #CVE20243094

techsaviours, 1 month ago to security

xz backdoor

Some distro-specific news links:

@archlinux - https://archlinux.org/news/the-xz-package-has-been-backdoored/

@debian - https://micronews.debian.org/2024/1711830544.html

#openwrt - https://forum.openwrt.org/t/project-statement-about-xz-5-6-1-cve-2024-3094/193250

@fedora - https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/

@opensuse - https://news.opensuse.org/2024/03/29/xz-backdoor/

Missed a distro? Reply and add yours.

#CVE20243094 #backdoor #security #Vulnerability #SSH #archlinux #debian #fedora #opensuse

synlogic, 1 month ago to random

many Russian & Chinese names seen as maintainers or key commiter atributations of xz & liblzma:

Larhzu (username of "Lasse Collin")
Jia Tan
Chan Tsune
Wei Dai

Sergey Kosukhin
Igor Pavlov
Ilya Kurdyukov
Dimitri Papadopoulos

DISCLAIMER: This is NOT exhaustive search, just quick. And having one's name in this list does NOT imply guilt or malfeasance, and its possible its all an innocent coincidence! But given what we know about Chin & Rus gov backed hacking/infiltration attempts...

#cve20243094

circl, 1 month ago to infosec

TR-82 - backdoor discovered in xz-utils - CVE-2024-3094

🔗 For more information including detection and information about vulnerable distribution https://www.circl.lu/pub/tr-82/

#xz #vulnerability #infosec #backdoor #vulnerabilities #cve20243094

jotbe, 1 month ago to security

FAQ: xz-utils backdoor situation · GitHub https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 #xz #security #CVE20243094

kernellogger, 1 month ago to linux

Lasse Collin's patch-series updating the #LinuxKernel's #xz code that a few days ago hit #linux-next was dropped for now until backdooring of upstream xz is understood better:

https://lore.kernel.org/all/20240329195602.382cb1c99bb70e3d8c6093ae@linux-foundation.org/

bentomn, 1 month ago (edited 1 month ago) to random

This is a good, clear note regarding the #xz incident.
What is known, what is unknown.
It distills earlier notes, offers context.

#cve20243094

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

philpem, 1 month ago to random

Learning about the gcc attribute ((ifunc ("resolve_xxx"))) construct is making me wonder what the hell the person who thought it up was drinking, smoking or eating, and the code review team too.

I'm struggling to think of a reasonable usecase for this monstrosity of a construct.

https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-ifunc-function-attribute

#cve20243094 #gcc #whatwereyouthinking

stdevel, 1 month ago to linux

Admins on Monday be like…

#cve20243094 #xz #lzma #CVE #Linux #Security

bsdphk, 1 month ago to random

I gave a talk about state actors attacking FOSS, ten years ago, on FOSSDEM:

https://www.youtube.com/watch?v=3jQoAYRKqhg

#cve20243094

Adorable_Sergal, 1 month ago to random

Is RHEL 8.x affected by the xz exploit?

asking for a friend

#CVE20243094

Adorable_Sergal, 1 month ago to random

Music to panic by

https://www.youtube.com/watch?v=TxMAY0dJWkA

#liblzma #backdoor #cve20243094

cccfr, 1 month ago to internet German

xz or not xz , thats the question?
ugly, mode: alles anzünden

"Backdoor found in xz liblzma specifically targets the RSA implementation of OpenSSH. Story still developing."

#leak #backdoor #ssh #Internet #xz #linux #rsa #libzma #openssh #CVE20243094 #sicherheitslücke
https://www.youtube.com/watch?v=jqjtNDtbDNI
https://openwall.com/lists/oss-security/2024/03/29/4
https://archlinux.org/news/the-xz-package-has-been-backdoored/
https://sc.tarnkappe.info/d941c4

Haydar, 1 month ago to random German

Regarding the #xz / #liblzma backdoor, quoting the original mail https://seclists.org/oss-sec/2024/q1/268

"Debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

"it is likely the backdoor can only work on glibc based systems."

So, if you are using a non-sytemd distro ( e.g. #Devuan, #Artix, #Void, #Slackware) or a non-glibc distro (e.g. #Alpine) you are most likely not affected, right?
#cve20243094

phryk, 1 month ago to random

Realistically, any contributions by JiaT75 should be retroactively audited.

Not gonna look into it too deep as I'm working right now, but they seem to maintain a unit testing framework – seems pretty dead, but a testing framework certainly sounds like the sort of thing that would be in a good position to fuck with software supply chains.

#cve20243094

cassidy, 1 month ago to linux

Watching the discovery and fallout from the xz supply chain compromise unfold in real time across mailing lists and issue trackers. Wild stuff.

Hug ops to OSS security peeps, today. And hopefully we can better understand what exactly happened—and why.

#xz #CVE #cve20243094 #Linux #hugops

w8emv, 1 month ago to random

Red Hat assigned this issue CVE-2024-3094.

"Subject: backdoor in upstream xz/liblzma leading to ssh server compromise"

As posted to oss-security by Andres Freund andres@

https://www.openwall.com/lists/oss-security/2024/03/29/4

#xz #liblzma #backdoor #cve20243094

miah, 1 month ago to random

xz/liblzma is backdoored. wow.

https://www.openwall.com/lists/oss-security/2024/03/29/4