security: check xc-utils versions
wheelie207
wheelie207 at proton.me
Sat Mar 30 10:38:44 MST 2024
Fedora 38 and 39 is not affected. But the Fedora 40 Beta is affected and they are changing to a previous version in the Beta before it gets released to all users.
Harold Hartley
Sent with Proton Mail secure email.
On Saturday, March 30th, 2024 at 09:35, Matthew Crews via PLUG-discuss <plug-discuss at lists.phxlinux.org> wrote:
>
> On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
>
> > moin moin,
> >
> > someone patched a potential remote exploit into xz-utils. It seems it can
> > compromise sshd.
> >
> > The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
> > the exploiter has been around a while, so watch for updates.
> >
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > https://lists.debian.org/debian-security-announce/2024/msg00057.html
> >
> > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
> >
> > ciao,
> >
> > der.hans
>
>
> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>
> While I'm not sure that this specific vulnerability led to much harm
> (who knows yet?), we're going to be feeling the after-shocks in the open
> source and security industries for a long time.
>
> Among the many questions that need to be asked:
>
> 1. How can we trust source tarballs / archive files to be 100% correct
> versus source code?
> 2. Without looking at the source code line-by-line, how do we detect
> supply chain attacks before they are propagated to end users?
> 3. How do we properly vet source code contributors to make sure they
> aren't going to perform supply chain attacks?
>
> -Matt
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list