At #oSC24, the @SUSE security team gives a report about #xzorcist.
#xzorcist
Der April war vor allem von der #XZ-Lücke geprägt, die mir neben eurem Feedback besprechen. Es gab aber auch Erfreuliches: eine neue Forgejo-Vorabversion, neue #RHEL und #AlmaLinux Betas, sowie erste Entwicklungen der #Redis-Forks. Incus 6.0 LTS ist erschienen, Xen-Kosten scheinen sich zu erhöhen und Canonical bietet fortan bis zu 12 Jahre Support für LTS-Versionen, beginnend ab Ubuntu 14.04.
@leachimus Da fällt mir doch fast das Mobile aus der Hand und weiß nicht, ich laut lachen oder heulen soll…
Aber hey, EIN #DEUTSCHER!!!!!11elf das wichtigste an der ganzen Sache….
#Drecksblatt #HaltDieFresseSpringerPresse
#xz #xzbackdoor #xzutils
Hihi: Aber der Hashtag ist wirklich witzig in dem (eigentlichen) Zusammenhang: #xzorcist 😂
Yay, #Debian reduces #OpenSSH dependencies (in Debian Unstable for now) and removes #libsystemd dependency.
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to not link against libsystemd (the former via an upstream patch).
* […]
Thanks @cjwatson!
(via https://tracker.debian.org/news/1516548/accepted-openssh-197p1-4-source-into-unstable/)
#xz #xzbackdoor #xzorcist #JiaT75 #systemd #AttackSurfaceReduction
reflections on distrusting xz
"Was the ssh backdoor the only goal that "Jia Tan" was pursuing with their multi-year operation against xz?
I doubt it, and if not, then every fix so far has been incomplete, because everything is still running code written by that entity."
https://joeyh.name/blog/entry/reflections_on_distrusting_xz/
#xz #XzBackdoor #xzorcist #cve_2024_3094
@AndresFreundTec now that @fedora, @ubuntu and @archlinux have frame pointers, maybe this #xzorcist issue will encourage #Debian to follow suit
Trying to take part in #30DaysOfBiking. Discovered it only today after dinner. Thanks to @ascentale for making me aware of it and @kimu + @IPEdmonton for explaining what it is and linking to https://30daysofbiking.com/.
Originally I planned to do a cycle tour or two over the long Easter weekend, but then the #xzbackdoor fuckup happened and I sat hours in front of my workstation at home or the laptop. So in the end I did a short ride around the block today.
Perhaps the long con is an even longer con in which an attacker attempts to drive many #infosec people into burnouts over time by hiding malware in packages that are then discovered just before holiday weekends.
All this talk about #xzorcist over the weekend, I want to also point out that it's important to remember that the "software supply chain" largely does *not* exist in regards to open source, because most people have no real relationship other than parasitic consumption with the project.
@Di4na's great blog post on this topic explains it quite well: https://www.softwaremaxims.com/blog/not-a-supplier
#xz #LosSimuladores #Ravenna #DiegoPeretti #xzorcist #XzBackdoor #cve20243094 #SeguridadInformática #SeguridadDeLaInformación #SeguInfo #SegInfo
Wünsche Euch frohe Feiertage, ohne solche faulen Eier :blobcatpolicepeek:
Damit keine Panik ausbricht, Der #xzorcist getaufte #cve20243094 der Versionen xz 5.6.x erlaubt ssh RCE über den RSA Key 😰
ABER
"In stabile Debian- oder Ubuntu-Versionen hat die Hintertür es nicht geschafft, ...
Der macOS-Paketmanager Homebrew hingegen ist nicht direkt betroffen."
Termux/Gentoo Pakete bitte updaten.
https://social.heise.de/@heisec/112186774018632515
#xz #xzbackdoor #supplychainattack #xz4shell #infosec #cybersecurity
There's A LOT going on (analysis, discussion, vendor notices, etc...) related to the ongoing xz/liblzma compromise so I created a "link roundup" which centralizes and buckets a lot of the awesome links and threads I've seen flying around.
https://shellsharks.com/xz-compromise-link-roundup
I will *try* to keep this up-to-date (ish) for a few days while things are hot but I make no promises beyond that.
#cve20243094 #xz #xzbackdoor #xzorcist #supplychainattack #xz4shell #infosec #cybersecurity
Compliance Officers: „Maintainer, who does not owe me anything, I need you to fill out this form and take responsibility!“
Salespeople: „My product solves this and any other problem in cybersecurity. With a premium sub you can also end world hunger.“
LinkedIn Influencers: „The end is nigh! This time I’m sure!“
Most of my feed on the #xzorcist #xz mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.
I am not seeing something else though. Has anyone actually *asked* the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"
Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.
@Aaron: Oh, and the now infamous "Simplify SECURITY.md" commit by #JiaT75 is now also in that repo: https://git.tukaani.org/?p=xz.git;a=commit;h=af071ef7702debef4f1d324616a0137a5001c14c
So it's up to date with Github again (and now ahead of it). #xz #xzorcist #xzbackdoor
@vaurora: In this case it was rather "not enough people involved" istead of "too many involved": See #busfactor and https://xkcd.com/2347 #xkcd2347
This was only possible because the original maintainer did that work alone and seems to have been close to a #burnout and urgently needed someone to step in. So it was easy to get the co-maintainer position without long-time #trust being involved.
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst