Fedora 38 and 39 is not affected. But the Fedora 40 Beta is affected and they are changing to a previous version in the Beta before it gets released to all users. Harold Hartley Sent with Proton Mail secure email. On Saturday, March 30th, 2024 at 09:35, Matthew Crews via PLUG-discuss wrote: > > On 3/29/24 13:18, der.hans via PLUG-discuss wrote: > > > moin moin, > > > > someone patched a potential remote exploit into xz-utils. It seems it can > > compromise sshd. > > > > The exploit was added in February affecting versions 5.6.0 and 5.6.1, but > > the exploiter has been around a while, so watch for updates. > > > > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > > > https://lists.debian.org/debian-security-announce/2024/msg00057.html > > > > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users > > > > ciao, > > > > der.hans > > > This, ladies and gentlemen, is what a Supply Chain Attack looks like. > > While I'm not sure that this specific vulnerability led to much harm > (who knows yet?), we're going to be feeling the after-shocks in the open > source and security industries for a long time. > > Among the many questions that need to be asked: > > 1. How can we trust source tarballs / archive files to be 100% correct > versus source code? > 2. Without looking at the source code line-by-line, how do we detect > supply chain attacks before they are propagated to end users? > 3. How do we properly vet source code contributors to make sure they > aren't going to perform supply chain attacks? > > -Matt > --------------------------------------------------- > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss