On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
> moin moin,
>
> someone patched a potential remote exploit into xz-utils. It seems it can
> compromise sshd.
>
> The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
> the exploiter has been around a while, so watch for updates.
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>
> https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users 
>
>
> ciao,
>
> der.hans

This, ladies and gentlemen, is what a Supply Chain Attack looks like.

While I'm not sure that this specific vulnerability led to much harm 
(who knows yet?), we're going to be feeling the after-shocks in the open 
source and security industries for a long time.

Among the many questions that need to be asked:

1. How can we trust source tarballs / archive files to be 100% correct 
versus source code?
2. Without looking at the source code line-by-line, how do we detect 
supply chain attacks before they are propagated to end users?
3. How do we properly vet source code contributors to make sure they 
aren't going to perform supply chain attacks?

-Matt
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss