Conversation

Notices

1. Embed this notice
   AndresFreundTec (andresfreundtec@mastodon.social)'s status on Saturday, 30-Mar-2024 04:46:54 JST AndresFreundTec

   @dgilman Unfortunately I suspect we'll see a lot more such attacks going forward, in all likelihood with more success in some cases.

   • Haelwenn /элвэн/ :triskell: likes this.
   • AnthonyJK-Admin repeated this.
   • Embed this notice
     Rihards Olups (richlv@mastodon.social)'s status on Saturday, 30-Mar-2024 04:47:47 JST Rihards Olups

     in reply to

     @AndresFreundTec @dgilman
     This is insane. I expect full-fledged articles out soon, but another interesting bit in https://news.ycombinator.com/item?id=39866275 :

     "the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features""

     This is CVE-2024-3094 for easier tracking.

     #JiaT75 #CVE20243094

   • Embed this notice
     Rihards Olups (richlv@mastodon.social)'s status on Saturday, 30-Mar-2024 04:47:47 JST Rihards Olups

     in reply to

     @AndresFreundTec @dgilman
     From the same thread:

     "Fascinating. Just yesterday the author added a `SECURITY.md` file to the `xz-java` project.

     > If you discover a security vulnerability in this project please report it privately. *Do not disclose it as a public issue.* This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released."

     Haelwenn /элвэн/ :triskell: likes this.