Reset Password
Existing players used to logging in with their character name and moo password must signup for a website account.
- Komira 49s
- Bruhlicious 28m Deine Mutter stinkt nach Erbrochenem und Bier.
- himble 38m
- AdamBlue9000 21m Rolling 526d6 damage against both of us.
- baewulf 2m
- RedProtokoll 43m
- QueenZombean 9s
- Lena 2m Yippee Ki-Yay
- zxq 17m
- Emily 44m Next thing you know, they'll take my thoughts away
a Mench 4h Doing a bit of everything.
And 28 more hiding and/or disguised
Sindomedome logo
a cyberpunk roleplaying game
banner art by amika
Connect to Sindome @ moo.sindome.org:5555 or just Play Now

XZ-Utils Backdoored

Login to post. Membership required.
Jump To
Newest Post
xz-utils, a package used by pretty much every Linux distro, has been backdoored for about a month. Luckily, it isn't as bad as it could be as most installs run an earlier version, but if you have a Linux machine that's connected to the internet (and you care if it gets broken into), or run homebrew on your Mac, you should check what version you're running.

Assuming you use 'apt' for your package manager, you can just do this by running "apt info xz-utils". I'd advise against running "xz -V" to check the version, as this would run the binary to get the version, which obviously isn't a great idea. If you're running versions 5.6.0 - 5.6.1, you should downgrade immediately.

If you want more information, the CVE is CVE-2024-3094

By Baguette at Mar 30, 2024 10:17 AM
As someone from a non-technical background, it sort of blew my mind as I was learning to use Linux how much security relied on someone else probably having checked over code in random package managers like NPM but this is another level.

Actually got into a full release of Fedora and into Debian Unstable looks like.

By 0x1mm at Mar 30, 2024 10:50 AM
AFAIK it's not in Fedora yet (they were planning to include it in Fedora 40 & 41), but it is in Debian unstable.
By Baguette at Mar 30, 2024 10:51 AM
Wired has a pretty interesting article on the maintainer/intelligence operative: The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind.

Jia Tan exploited open source software’s crowdsourced approach to coding whereby anyone can suggest changes to a program on code repositories like GitHub, where the changes are reviewed by other coders before they’re integrated into the software. Peeling back Jia Tan’s documented history in the open source programming world reveals that they first appeared in November 2021 with the GitHub username JiaT75, then made contributions to other open source projects using the name Jia Tan, or sometimes Jia Cheong Tan, for more than a year before beginning to submit changes to XZ Utils.

By January 2023, Jia Tan’s code was being integrated into XZ Utils. Over the next year, they would largely take control of the project from its original maintainer, Lasse Collin, a change driven in part by nagging emails sent to Collin by a handful users complaining about slow updates. (Whether those users were unwitting accomplices, or actually working with Jia Tan to persuade Collin to relinquish control, remains unclear. None of the users replied to requests for comment from WIRED.) Finally, Jia Tan added their stealthy backdoor to a version of XZ Utils in February of this year.[/url]

By 0x1mm at Apr 11, 2024 5:25 PM
Jump To Oldest Post