176
submitted 7 months ago by petsoi@discuss.tchncs.de to c/linux@lemmy.ml
top 18 comments
sorted by: hot top controversial new old
[-] thurstylark@lemm.ee 44 points 7 months ago

Me: fixes exposure to vuln

Also me: grabs popcorn

This is going to be an interesting story once this all quiets down...

[-] Bitrot@lemmy.sdf.org 50 points 7 months ago* (last edited 7 months ago)

Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

[-] SuperIce@lemmy.world 20 points 7 months ago

Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

[-] brunacho@scribe.disroot.org 10 points 7 months ago

Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

[-] theshatterstone54@feddit.uk 6 points 7 months ago

Fixes exposure

It says F39 users are not affected. Are you running Rawhide/F40 Beta? p

[-] thurstylark@lemm.ee 10 points 7 months ago

Running Arch, so not really exposed, but still had a compromised version installed.

[-] wolf@lemmy.zip 25 points 7 months ago
[-] wolf@lemmy.zip 24 points 7 months ago* (last edited 7 months ago)

Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

[-] RedNight@lemmy.ml 11 points 7 months ago

This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

[-] wolf@lemmy.zip 6 points 7 months ago

Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.

[-] NotMyOldRedditName@lemmy.world 2 points 7 months ago

What about finding someone like this and then blackmailing them?

That would be cheaper

[-] SMillerNL@lemmy.world 3 points 7 months ago
[-] bassomitron@lemmy.world 1 points 7 months ago

Lol, too true. It's either that or honeytraps

[-] steal_your_face@lemmy.ml 11 points 7 months ago

Happy it doesn’t affect stable versions

[-] delirious_owl@discuss.online 2 points 7 months ago

Did they intentionally not put the package name in the headline just to draw more clicks? Ffs

[-] annata20@discuss.tchncs.de 1 points 3 months ago

CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.

this post was submitted on 30 Mar 2024
176 points (98.4% liked)

Linux

48132 readers
538 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS