9mo ago

CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users

fedoramagazine.org CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users - Fedora Magazine

Summary: The latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries. Fedora Linux 40 users may have received version 5.6.0, depending on the timin...

You're viewing a single thread.

18 comments

Me: fixes exposure to vuln
Also me: grabs popcorn
This is going to be an interesting story once this all quiets down...
- Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
  And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.
  
  Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.
  
  Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
  gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
  
  It’s also at https://git.tukaani.org.
- Fixes exposure
  It says F39 users are not affected. Are you running Rawhide/F40 Beta? p
  
  Running Arch, so not really exposed, but still had a compromised version installed.

18 comments