Conversation

Notices

1. Embed this notice
   Gea-Suan Lin (gslin@abpe.org)'s status on Saturday, 30-Mar-2024 10:07:06 JST Gea-Suan Lin

   in reply to

   https://github.com/tukaani-project/xz/releases

   這次 backdoor 被放進 5.6.1(2024/03/09)，在大多數的 LTS distribution 都還沒跟上，但很多 testing/prerelease 版本就慘了...

   另外一方面是 xz 團隊被迫要回頭仔細的 audit 之前的 commit 了...

   • Roy Tam likes this.
   • Embed this notice
     Gea-Suan Lin (gslin@abpe.org)'s status on Saturday, 30-Mar-2024 10:07:07 JST Gea-Suan Lin

     https://www.openwall.com/lists/oss-security/2024/03/29/4

     https://news.ycombinator.com/item?id=39865810

     睡醒打開電腦就發現 xz 被下蠱的消息，而且是埋了兩年的 social engineering (這麼刺激？)：

     He has been part of the xz project for 2 years, adding all sorts of binary test files, and to be honest with this level of sophistication I would be suspicious of even older versions of xz until proven otherwise.

     Roy Tam repeated this.