security: check xc-utils versions
Matthew Crews
mailinglists at mattcrews.com
Sat Mar 30 09:35:28 MST 2024
On 3/29/24 13:18, der.hans via PLUG-discuss wrote:
> moin moin,
>
> someone patched a potential remote exploit into xz-utils. It seems it can
> compromise sshd.
>
> The exploit was added in February affecting versions 5.6.0 and 5.6.1, but
> the exploiter has been around a while, so watch for updates.
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> https://lists.debian.org/debian-security-announce/2024/msg00057.html
>
> https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
>
>
> ciao,
>
> der.hans
This, ladies and gentlemen, is what a Supply Chain Attack looks like.
While I'm not sure that this specific vulnerability led to much harm
(who knows yet?), we're going to be feeling the after-shocks in the open
source and security industries for a long time.
Among the many questions that need to be asked:
1. How can we trust source tarballs / archive files to be 100% correct
versus source code?
2. Without looking at the source code line-by-line, how do we detect
supply chain attacks before they are propagated to end users?
3. How do we properly vet source code contributors to make sure they
aren't going to perform supply chain attacks?
-Matt
More information about the PLUG-discuss
mailing list