Re: security: check xc-utils versions

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matthew Crews via PLUG-discuss
Date:  
To: plug-discuss
CC: Matthew Crews
Subject: Re: security: check xc-utils versions


On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
> moin moin,
>
> someone patched a potential remote exploit into xz-utils. It seems it can
> compromise sshd.
>
> The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
> the exploiter has been around a while, so watch for updates.
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>
> https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
>
>
> ciao,
>
> der.hans


This, ladies and gentlemen, is what a Supply Chain Attack looks like.

While I'm not sure that this specific vulnerability led to much harm
(who knows yet?), we're going to be feeling the after-shocks in the open
source and security industries for a long time.

Among the many questions that need to be asked:

1. How can we trust source tarballs / archive files to be 100% correct
versus source code?
2. Without looking at the source code line-by-line, how do we detect
supply chain attacks before they are propagated to end users?
3. How do we properly vet source code contributors to make sure they
aren't going to perform supply chain attacks?

-Matt
---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss