Reset Password
Existing players used to logging in with their character name and moo password must signup for a website account.
- Napoleon 46s
- Woeful 1m
- BigLammo 1s youtu.be/NZR4EeTkRqk
- adrognik 3m
- BluuOwl 32s
- Hivemind 16m
- Komira 4m
- Rillem 23s
a Mench 2h Doing a bit of everything.
- Wonderland 2m
- QueenZombean 42s
- zxq 5m
- BitLittle 9m
And 36 more hiding and/or disguised
Sindomedome logo
a cyberpunk roleplaying game
banner art by Snook-8
Connect to Sindome @ moo.sindome.org:5555 or just Play Now

XZ-Utils Backdoored

Login to post. Membership required.
Jump To
Newest Post
xz-utils, a package used by pretty much every Linux distro, has been backdoored for about a month. Luckily, it isn't as bad as it could be as most installs run an earlier version, but if you have a Linux machine that's connected to the internet (and you care if it gets broken into), or run homebrew on your Mac, you should check what version you're running.

Assuming you use 'apt' for your package manager, you can just do this by running "apt info xz-utils". I'd advise against running "xz -V" to check the version, as this would run the binary to get the version, which obviously isn't a great idea. If you're running versions 5.6.0 - 5.6.1, you should downgrade immediately.

If you want more information, the CVE is CVE-2024-3094

By Baguette at Mar 30, 2024 10:17 AM
As someone from a non-technical background, it sort of blew my mind as I was learning to use Linux how much security relied on someone else probably having checked over code in random package managers like NPM but this is another level.

Actually got into a full release of Fedora and into Debian Unstable looks like.

By 0x1mm at Mar 30, 2024 10:50 AM
AFAIK it's not in Fedora yet (they were planning to include it in Fedora 40 & 41), but it is in Debian unstable.
By Baguette at Mar 30, 2024 10:51 AM
Wired has a pretty interesting article on the maintainer/intelligence operative: The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind.

Jia Tan exploited open source software’s crowdsourced approach to coding whereby anyone can suggest changes to a program on code repositories like GitHub, where the changes are reviewed by other coders before they’re integrated into the software. Peeling back Jia Tan’s documented history in the open source programming world reveals that they first appeared in November 2021 with the GitHub username JiaT75, then made contributions to other open source projects using the name Jia Tan, or sometimes Jia Cheong Tan, for more than a year before beginning to submit changes to XZ Utils.

By January 2023, Jia Tan’s code was being integrated into XZ Utils. Over the next year, they would largely take control of the project from its original maintainer, Lasse Collin, a change driven in part by nagging emails sent to Collin by a handful users complaining about slow updates. (Whether those users were unwitting accomplices, or actually working with Jia Tan to persuade Collin to relinquish control, remains unclear. None of the users replied to requests for comment from WIRED.) Finally, Jia Tan added their stealthy backdoor to a version of XZ Utils in February of this year.[/url]

By 0x1mm at Apr 11, 2024 5:25 PM
Jump To Oldest Post