Conversation
Notices
-
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 05:13:19 JST 
anime graf mays ?️?
@p @p check this out @sjw @Moon somebody introduced a backdoor into xz/xz-utils (debian/ubuntu) via systemd and openssh (openrc chads stay winning)
openwall.com/lists/oss-security/2024/03/29/4
github.com/tukaani-project/xz/commit/af071ef7702debef4f1d324616a0137a5001c14c
:arch: CVE is up security.archlinux.org/CVE-2024-3094
:gentoo: is marked in-progress bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094- Sexy Moon, ロミンちゃん and Pleroma-tan like this.
-
Embed this notice
Tyler (tyler@nicecrew.digital)'s status on Saturday, 30-Mar-2024 05:13:58 JST 
Tyler
That's really interesting -
Embed this notice
Matty (matty@nicecrew.digital)'s status on Saturday, 30-Mar-2024 05:13:58 JST 
Matty
Yes these do appear to be words on the screen Fediverse Contractor likes this.Sexy Moon and Pleroma-tan repeated this. -
Embed this notice
Tyler (tyler@nicecrew.digital)'s status on Saturday, 30-Mar-2024 05:13:58 JST
Tyler
Hahahahhahahahah Pleroma-tan likes this.Pleroma-tan repeated this. -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Saturday, 30-Mar-2024 05:14:36 JST 
Pleroma-tan
@graf @p @sjw @Moon @p graf gentoo is affected too :D -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Saturday, 30-Mar-2024 05:17:29 JST
Pleroma-tan
@graf @Moon @p @p @sjw literally just masked the newest xz out of panic... its in the base system -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 05:19:43 JST
anime graf mays ?️?
@tyler @p @sjw @matty @Moon @p it is genuinely genious. nobody noticed until he updated the security.md on github to remove report methods -
Embed this notice
Pleroma-tan (kirby@lab.nyanide.com)'s status on Saturday, 30-Mar-2024 05:55:02 JST
Pleroma-tan
@Moon @graf @p @p @sjw nvm apparently there is a specific check for some distros in the malicious script. gentoo is not one of them -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 10:01:54 JST 
Matt Hamilton
@graf @p@bae.st @sjw @matty @tyler @Moon @p@shitposter.club
Did you see the guy who said it was "false flag" right beneath that?
I almost made the post "found the poa.st user, mastodon.social user, and noauthority.social user" but decided against it, lol.
-
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:01:54 JST
anime graf mays ?️?
@eriner @p @sjw @matty @tyler @Moon @p this whole thing reeks like an actual glowop tbh especially with that 1password devs account pushing a pr to a 3 year dormant repo. these supply chain attacks are becoming a lot more commonplace and hard to detect. not good -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 30-Mar-2024 10:01:54 JST 
Fediverse Contractor
Can I get a tldr xirs? -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:01:55 JST
anime graf mays ?️?
@matty @p @sjw @tyler @Moon @p basically some chink added some :pandaman16: backdoor into xz and its utilities (and libraries on some distros). it's only in binary distribution packages and it's only systemd rolling release basically thats effected (so arch and similar). because sshd relies on xz to a certain extent, this payload compromises the security of sshd allowing some chinaman to login -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:01:55 JST
anime graf mays ?️?
@matty @p @sjw @tyler @Moon @p lmfao -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 30-Mar-2024 10:04:20 JST
Fediverse Contractor
What does the xz compression library do and why should anyone care? -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 10:04:21 JST
Matt Hamilton
@bot @p@bae.st @sjw @matty @tyler @graf @Moon @p@shitposter.club
Fediverse Contractor likes this. -
Embed this notice
DJ :debian: :coolcat: :colombia: (dj@parcero.bond)'s status on Saturday, 30-Mar-2024 10:07:33 JST 
DJ :debian: :coolcat: :colombia:
@graf @p @sjw @matty @tyler @Moon @p ✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
?? Humpleupagus ?? (humpleupagus@eveningzoo.club)'s status on Saturday, 30-Mar-2024 10:11:21 JST 
?? Humpleupagus ??
https://youtu.be/ixn5OygxBY4 -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 30-Mar-2024 10:12:07 JST
Fediverse Contractor
So does this basically mean ppl can get hacked? I'm just trying to understand why it matters. -
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 10:12:08 JST
Matt Hamilton
@bot @p@bae.st @sjw @matty @tyler @graf @Moon @p@shitposter.club because lzma has good compression to speed ratios. In fact, Arch used xz as the default compression tool for their built packages (.pkg.tar.xz) until a relatively recent switch to zst.
-
Embed this notice
Matt Hamilton (eriner@noauthority.social)'s status on Saturday, 30-Mar-2024 10:16:21 JST
Matt Hamilton
@bot @p@bae.st @sjw @matty @tyler @graf @Moon @p@shitposter.club oh. I don't know your level of technical sophistication, so I'm going to ELY5, no offense intended.
SSH is a program that runs on servers so that operators can securely remotely connect to them for management purposes.
The ssh program that runs on the server relies on the library provided by the xz project, liblzma.
The authors of the xz project inserted a backdoor to allow unauthorized access to SSH if the backdoored version of xz was installed.
Fediverse Contractor likes this. -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 30-Mar-2024 10:17:37 JST
Fediverse Contractor
Ok got it, thanks for that. You're very good at explaining stuff btw. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:23:36 JST
anime graf mays ?️?
@eriner @bot @p @sjw @matty @tyler @Moon @p despite his absolute hatred of me i am glad you took the initiative to explain it to him. god bless you eriner -
Embed this notice
Fediverse Contractor (bot@seal.cafe)'s status on Saturday, 30-Mar-2024 10:23:36 JST
Fediverse Contractor
I literally just want you to ban pedophile content, it's that simple. Do you agree to do that? (image is a completely unrelated artistic expression by an unknown artist) -
Embed this notice
Rude (rude@kys.moe)'s status on Saturday, 30-Mar-2024 10:25:12 JST 
Rude
@graf @p @sjw @yockeypuck @Moon @p Haven't been posting on fedi much over the last year. Quit my well paying salaryman tech job and now spend all of my time doing artwork and learning gamedev instead. Sexy Moon likes this. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:25:13 JST
anime graf mays ?️?
@rude @p @sjw @yockeypuck @Moon @p good to see you friend, haven't seen you in what seems like months -
Embed this notice
Rude (rude@kys.moe)'s status on Saturday, 30-Mar-2024 10:25:14 JST
Rude
@sjw @p @graf @yockeypuck @Moon @p Is where I started also, just like learning to swim because your uncle threw you in the deep end of the pool as a kid. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:25:15 JST
anime graf mays ?️?
@yockeypuck @p @p @sjw @Moon -
Embed this notice
Your New Marijuana Injecting Waifu :weed: (sjw@bae.st)'s status on Saturday, 30-Mar-2024 10:25:15 JST 
Your New Marijuana Injecting Waifu :weed:
@graf @p @yockeypuck @Moon @p it worked for me. Installing Gentoo got me familiar with the inner workings of GNU/Linux and taught me that it's not that scary and also taught me how to fix things and compile my own software. You learn a lot by installing Gentoo. -
Embed this notice
yockeypuck (yockeypuck@poa.st)'s status on Saturday, 30-Mar-2024 10:25:16 JST 
yockeypuck
@graf @p @p @sjw @Moon >soystemd
It appears our superiority has once again led to controversy. -
Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Saturday, 30-Mar-2024 10:26:10 JST
anime graf mays ?️?
@matty @p @sjw @tyler @Moon @p oh my fucking god lmfao Sexy Moon likes this.
All GNU social JP content and data are available under the