Re: security: check xc-utils versions

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M+\MMatthew Crews via PLUG-discuss at <-
MMMSteve Litt via PLUG-discuss at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: wheelie207 via PLUG-discuss
Date:  
To: Main PLUG discussion list
CC: wheelie207
Subject: Re: security: check xc-utils versions
Fedora 38 and 39 is not affected. But the Fedora 40 Beta is affected and they are changing to a previous version in the Beta before it gets released to all users.



Harold Hartley

Sent with Proton Mail secure email.

On Saturday, March 30th, 2024 at 09:35, Matthew Crews via PLUG-discuss <> wrote:

>
> On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
>
> > moin moin,
> >
> > someone patched a potential remote exploit into xz-utils. It seems it can
> > compromise sshd.
> >
> > The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
> > the exploiter has been around a while, so watch for updates.
> >
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> >
> > https://lists.debian.org/debian-security-announce/2024/msg00057.html
> >
> > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
> >
> > ciao,
> >
> > der.hans
>
>
> This, ladies and gentlemen, is what a Supply Chain Attack looks like.
>
> While I'm not sure that this specific vulnerability led to much harm
> (who knows yet?), we're going to be feeling the after-shocks in the open
> source and security industries for a long time.
>
> Among the many questions that need to be asked:
>
> 1. How can we trust source tarballs / archive files to be 100% correct
> versus source code?
> 2. Without looking at the source code line-by-line, how do we detect
> supply chain attacks before they are propagated to end users?
> 3. How do we properly vet source code contributors to make sure they
> aren't going to perform supply chain attacks?
>
> -Matt
> ---------------------------------------------------
> PLUG-discuss mailing list:
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: security: check xc-utils versionsRe: Handbrake won't use nvenc->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)