Originally posted by avis
View Post
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Collapse
X
-
VoidLinux has shipped the malicious release, but apparently is not affected.
Bad news: https://www.openwall.com/lists/oss-security/2024/03/29/4 Good news: As of the current state of investigation VoidLinux is not affected by this backdoor.
Comment
-
-
Originally posted by oibaf View PostAll the details are here: https://lwn.net/ml/oss-security/2024...3.anarazel.de/
Does that mean that if sshd gets ever executed, my system is entirely compomised? The mail is talking about liblzma and oh boy a lot of stuff is linked to it.
In Fedora 40 with relatively few packages, the following ones depend on it:
Code:deltarpm-3.6.3-11.fc39.x86_64 elfutils-libs-0.191-2.fc39.x86_64 gdb-headless-14.1-4.fc39.x86_64 GraphicsMagick-1.3.40-3.fc39.x86_64 grub2-tools-1:2.06-118.fc39.x86_64 grub2-tools-extra-1:2.06-118.fc39.x86_64 grub2-tools-minimal-1:2.06-118.fc39.x86_64 imlib2-1.11.1-3.fc39.x86_64 kmod-30-6.fc39.x86_64 kmod-libs-30-6.fc39.x86_64 libarchive-3.7.1-1.fc39.x86_64 libsolv-0.7.28-1.fc39.x86_64 libxml2-2.10.4-3.fc39.x86_64 libxmlb-0.3.15-1.fc39.x86_64 libzip-1.10.1-1.fc39.x86_64 minizip-ng-3.0.7-5.fc39.x86_64 perf-6.7.10-200.fc39.x86_64 python3-libs-3.12.2-2.fc39.x86_64 rpm-libs-4.19.1.1-1.fc39.x86_64 squashfs-tools-4.6.1-2.fc39.x86_64 systemd-254.10-1.fc39.x86_64 systemd-libs-254.10-1.fc39.x86_64 systemd-udev-254.10-1.fc39.x86_64 zstd-1.5.5-4.fc39.x86_64
Comment
-
-
Originally posted by avis View Post
This is 100% unrelated and VB was a single toggle to switch/disable and not deal with possibly malicious macros, if you ever were concerned about this attack vector.
That roliverio guy heavily implied and joked about MS/Apple/Google actually distributing malware (an interpreter is not malware cause otherwise a compiler in your distro is ALSO an attack vector and Python gets installed by default in pretty much in all distros) and I'm sad these companies won't sue him for libel.
Comment
-
-
Originally posted by bug77 View Post
Right, so unnecessarily creating a new attack surface for malware (despite prior warning) is fine, but unknowingly distributing malware is not. Duly noted.- Bash (installed by default)
- Python (installed by default)
- Perl (often installed by default)
- GCC/Clang
- Ruby
- PHP
- Lua
Microsoft has never distributed malware, period. Stop making shit up.
Originally posted by bug77 View Post
Stating the obvious...
Comment
-
Originally posted by Volta View Post
Linux code is way more inspected than everything that comes from microsoft or apple.
Then why is desktop Linux so buggy when it has better inspection than macOS and Windows????
Linux desktop is legendary for its bugs.
Answer yourself why so many developers switched from Linux to macOS???? Because they're tired of fighting stupid bugs, unsuccessful updates. They want to work.
Comment
-
-
The update hasn't yet been pushed to Fedora 40 beta users: https://bodhi.fedoraproject.org/upda...z&releases=F40
What the actual hell?
Should the affected systems be nuked and reinstalled from scratch? I still don't understand.
Originally posted by HEL88 View Post
Then why is desktop Linux so buggy when it has better inspection than macOS and Windows????
Linux desktop is legendary for its bugs.
Answer yourself why so many developers switched from Linux to macOS???? Because they're tired of fighting stupid bugs, unsuccessful updates. They want to work.
Some people love to use their PC, not the other way around.
Comment
-
-
This seems to have been a very thought out and involved attack, obfuscated at every turn. Imagine the design effort they had to put in, compared to microsoft and apple who just put out code that no-one knows and when the exploit is found, they "fix" it by code that no-one knows, probably just moving it around a bit. Thiss, avis, is why they "never got caught". Because you believed them and their constant "innocently" backdoored releases.
Comment
-
Comment