On 2024-03-31 07:19, der.hans via PLUG-discuss wrote:
> Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
> > Among the many questions that need to be asked:
> >
> > 1. How can we trust source tarballs / archive files to be 100%
correct versus
> > source code?
>
> Reproducible
der.hans via PLUG-discuss said on Sun, 31 Mar 2024 07:19:43 + (UTC)
>Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
>
>> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>>
>> While I'm not sure that this specific vulnerability led to much harm
>> (who
Am 30. Mar, 2024 schwätzte Matthew Crews via PLUG-discuss so:
This, ladies and gentlemen, is what a Supply Chain Attack looks like.
While I'm not sure that this specific vulnerability led to much harm (who
knows yet?), we're going to be feeling the after-shocks in the open source
and
Matthew Crews via PLUG-discuss said on Sat, 30 Mar 2024 09:35:28 -0700
>Among the many questions that need to be asked:
>
>1. How can we trust source tarballs / archive files to be 100% correct
>versus source code?
>2. Without looking at the source code line-by-line, how do we detect
>supply
der.hans via PLUG-discuss said on Fri, 29 Mar 2024 20:18:58 + (UTC)
>moin moin,
>
>someone patched a potential remote exploit into xz-utils. It seems it
>can compromise sshd.
Void Linux downgraded xz to 5.4.6 to avoid the problem until the dust
settled.
SteveT
Steve Litt
Autumn 2023
Fedora 38 and 39 is not affected. But the Fedora 40 Beta is affected and they
are changing to a previous version in the Beta before it gets released to all
users.
Harold Hartley
Sent with Proton Mail secure email.
On Saturday, March 30th, 2024 at 09:35, Matthew Crews via PLUG-discuss
On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
moin moin,
someone patched a potential remote exploit into xz-utils. It seems it can
compromise sshd.
The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
the exploiter has been around a while, so watch for updates.