xtaran, 1 month ago to debian

Yay, #Debian reduces #OpenSSH dependencies (in Debian Unstable for now) and removes #libsystemd dependency.

openssh (1:9.7p1-4) unstable; urgency=medium

• Rework systemd readiness notification and socket activation patches to not link against libsystemd (the former via an upstream patch).
• […]

Thanks Colin Watson!

(via https://tracker.debian.org/news/1516548/accepted-openssh-197p1-4-source-into-unstable/)

#xz #xzbackdoor #xzorcist #JiaT75 #systemd #AttackSurfaceReduction

Conan_Kudo, 1 month ago to random

All this talk about #xzorcist over the weekend, I want to also point out that it's important to remember that the "software supply chain" largely does not exist in regards to open source, because most people have no real relationship other than parasitic consumption with the project.

@Di4na's great blog post on this topic explains it quite well: https://www.softwaremaxims.com/blog/not-a-supplier

shellsharks, 1 month ago to infosec

There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.

https://shellsharks.com/xz-compromise-link-roundup

I will try to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.

#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity

jwf, 1 month ago to linux

Most of my feed on the #xzorcist #xz mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.

I am not seeing something else though. Has anyone actually asked the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"

Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.

#Linux #OpenSource #infosec #CVE20243094

mkb, 1 month ago to infosec

OK, #infosec peeps, what’s the over/under on the number of days before another vuln with the same M.O. as #xzorcist is found?

And what about attribution? Place your bets!

#xz

Aaron, 1 month ago to random German

The original maintainer of #xz (Lasse) just fixed another affected piece of code that sabotaged library sandboxing and was, of course, also introduced by the malicious contributor Jia Tan.

https://git.tukaani.org/?p=xz.git;a=summary

This poor unpaid Fossdev probably has a ton of companies knocking on his door right now.

#xkcd

stevel, 1 month ago to random

Presumably, along with all of us making sure our products and services are safe #xzorcist , the offence teams at the other governments will be busy going through the #xz backdoor to understand how to exploit it -and then seeing if there any interesting targets that are vulnerable before the weekend is over. Busy weekend for all of us on call.

Conan_Kudo, 1 month ago to random

Lasse Collin (the main #xz maintainer) has now started working on a review of #xzorcist (credit to @jwf for the clever name!).

https://tukaani.org/xz-backdoor/

It's important to note how critical it was caught now: all the commercial distributions are making releases over the next 12-18 months: Red Hat with RHEL 10 in May 2025, SUSE with SLE 16 in fall 2025, and Canonical with Ubuntu 24.04 in April. It was key to infect their upstreams (Fedora, openSUSE, Debian) now.

Fortunately, it failed.

jwf, 1 month ago to opensource

How long before we start calling this #xz vulnerability the #xzorcist? 🤔

https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/

#OpenSource #infosec #infosecurity #Linux #CVE