Products > Security
This is a scary one ... CVE-2024-3094
bingo600:
Dammm
This one is scary - Malicious code in liblzma upsream code detected.
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Especially because it might be "An inside job"
Multistage planned, and "impressingly well done" :-\
Right now ... Prob only bleeding edge installs are affected.
But since it was in upstream, if not detected. It would have propagated.
My Ubu 22.04 or Deb12 arent affected.
Edit:
Just beggining to look at this one - Doesn't look nice too
https://pwning.tech/nftables/
SiliconWizard:
Wow.
Note that the official github account on which the repo was hosted has been taken down: https://github.com/tukaani-project/xz
This is serious stuff here.
bingo600:
--- Quote from: SiliconWizard on March 30, 2024, 07:51:43 am ---Wow.
Note that the official github account on which the repo was hosted has been taken down: https://github.com/tukaani-project/xz
This is serious stuff here.
--- End quote ---
Yupp
But if correct ... Then "adding" "extra key-sigs" to SSH ... IS SERIOUS
One can only wonder : WHY did the Author(s) do it ? - Especially if it's an inside job ...
Smells somewhat of "3 letters" from whatever country.
madires:
FAQ on the xz-utils backdoor: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html
openSUSE: https://news.opensuse.org/2024/03/29/xz-backdoor/
The first affected version is 5.6.0.
voltsandjolts:
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Navigation
[0] Message Index
[#] Next page
Go to full version