Reset Password
Existing players used to logging in with their character name and moo password must signup for a website account.
- baewulf 4m
- shoesanti 7s
- AdamBlue9000 14m Rolling 526d6 damage against both of us.
- Treble 1m
- Kangarat 30s
- Emily 51m I lost myself, in the dark charade.
And 15 more hiding and/or disguised
Connect to Sindome @ moo.sindome.org:5555 or just Play Now

XZ-Utils Backdoored

xz-utils, a package used by pretty much every Linux distro, has been backdoored for about a month. Luckily, it isn't as bad as it could be as most installs run an earlier version, but if you have a Linux machine that's connected to the internet (and you care if it gets broken into), or run homebrew on your Mac, you should check what version you're running.

Assuming you use 'apt' for your package manager, you can just do this by running "apt info xz-utils". I'd advise against running "xz -V" to check the version, as this would run the binary to get the version, which obviously isn't a great idea. If you're running versions 5.6.0 - 5.6.1, you should downgrade immediately.

If you want more information, the CVE is CVE-2024-3094

As someone from a non-technical background, it sort of blew my mind as I was learning to use Linux how much security relied on someone else probably having checked over code in random package managers like NPM but this is another level.

Actually got into a full release of Fedora and into Debian Unstable looks like.

AFAIK it's not in Fedora yet (they were planning to include it in Fedora 40 & 41), but it is in Debian unstable.
Wired has a pretty interesting article on the maintainer/intelligence operative: The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind.

Jia Tan exploited open source software’s crowdsourced approach to coding whereby anyone can suggest changes to a program on code repositories like GitHub, where the changes are reviewed by other coders before they’re integrated into the software. Peeling back Jia Tan’s documented history in the open source programming world reveals that they first appeared in November 2021 with the GitHub username JiaT75, then made contributions to other open source projects using the name Jia Tan, or sometimes Jia Cheong Tan, for more than a year before beginning to submit changes to XZ Utils.

By January 2023, Jia Tan’s code was being integrated into XZ Utils. Over the next year, they would largely take control of the project from its original maintainer, Lasse Collin, a change driven in part by nagging emails sent to Collin by a handful users complaining about slow updates. (Whether those users were unwitting accomplices, or actually working with Jia Tan to persuade Collin to relinquish control, remains unclear. None of the users replied to requests for comment from WIRED.) Finally, Jia Tan added their stealthy backdoor to a version of XZ Utils in February of this year.[/url]