Alexander Goeres 𒀯Aus einem newsletter des bsi zur IT-sicherheitslage im april 2025. sie beschäftigen sich da u.a. mit einer erneuten sicherheitslücke der schon berüchtigten xz-utils. 2024 gabs dort eine eingeschmuggelte backdoor in dem programm (CVE-2024-3094). über die neue sicherheitslücke (CVE-2025-31115) könnte nun wieder schadcode eingeschleust werden. klingt recht beunruhigend, mit einem score von 8.7/10.<br><br>so weit, so normal. dann wird das bsi aber deutlich systemkritisch ... :-)<br><br><blockquote>Auch wenn im aktuellen Fall nicht von Vorsatz auszugehen ist, lässt das erneute Auftreten einer<br>Schwachstelle mit CVSS >8 (die dritte in 3 Jahren) Zweifel an der Qualitätskontrolle innerhalb des XZ-Projektes aufkommen. Dabei ist zu berücksichtigen, dass diese ubiquitäre Softwarekomponente im Wesentlichen von einem einzelnen Maintainer in seiner Freizeit gepflegt wird. Die verfügbaren<br>personellen Ressourcen stehen damit in keinem Verhältnis zur hohen Verbreitung der Bibliothek. Dies trifft auf eine große Anzahl von Open-Source-Software-Komponenten zu, die oft auch in proprietärer Software integriert sind, ohne hier offensichtlich zu werden. Zudem handelt es sich dabei um einen sehr frühen Punkt in der Lieferkette einer Softwarekomponente, die extrem weit verbreitet ist.<br><br>Hersteller von umsatzstarken Produkten bzw. Dienstangeboten teilen oftmals auch nicht die Erlöse<br>mit den bzw. mit allen im Unterbau genutzten Software-Projekten. Durch derartige Projekte sind im Laufe der letzten 30 Jahre eine Vielzahl an höchst wertvollen Software-Gütern entstanden, von denen das Funktionieren der heutigen IT-Welt abhängig ist, die jedoch trotz ihrer wirtschaftlichen Verwertung nicht ansatzweise mit Ressourcen ausgestattet wurden, die der damit erzielten Wertschöpfung entspricht. Perspektivisch sollte diesem strukturellen Problem mehr Aufmerksamkeit geschenkt werden.</blockquote><br>in einem anderen absatz zum update von win10 auf win11 empfiehlt das bsi auch den wechsel auf linux:<br><br><blockquote>Allen, die noch Windows 10 nutzen, empfiehlt das Bundesamt für Sicherheit in der Informationstechnik (BSI), ein Upgrade durchzuführen bzw. auf ein anderes Betriebssystem umzusteigen. Das können etwa Windows 11, ein Unix-basiertes Betriebssystem wie macOS oder ein Linux-basiertes Betriebssystem sein.</blockquote><br>und mit der entscheidung darüber im professionellen umfeld nicht erst zu warten, bis im herbst der windows10-support "plötzlich" ganz weg ist und das management in spontane panik verfällt ...<br><br>#<a class="" href="https://hub.netzgemeinde.eu/search?tag=computer" rel="nofollow noopener" target="_blank">computer</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=bsi" rel="nofollow noopener" target="_blank">bsi</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=CVE" rel="nofollow noopener" target="_blank">CVE</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=CVE-2024-3094" rel="nofollow noopener" target="_blank">CVE-2024-3094</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=CVE-2025-31115" rel="nofollow noopener" target="_blank">CVE-2025-31115</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=xz-utlis" rel="nofollow noopener" target="_blank">xz-utlis</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=security" rel="nofollow noopener" target="_blank">security</a> #<a class="" href="https://hub.netzgemeinde.eu/search?tag=hacks" rel="nofollow noopener" target="_blank">hacks</a>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
223active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#cve20243094
0 posts · 0 participants · 0 posts today
Christian Pietsch 🍑<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@jrt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jrt</span></a></span> <span class="h-card" translate="no"><a href="https://geraffel.social/@ph0lk3r" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ph0lk3r</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@hisolutions" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>hisolutions</span></a></span> <span class="h-card" translate="no"><a href="https://chaos.social/@HonkHase" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>HonkHase</span></a></span> </p><p>Vielen Dank für den Aufschrieb. Ich hoffe, dass jemand aus dieser Vorlage einen Krimi macht.</p><p>Hättet ihr Lust, das als szenische Lesung oder (Socken-)Puppentheater beim <a href="https://suma-ev.social/tags/38c3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>38c3</span></a> aufzuführen?</p><p><a href="https://suma-ev.social/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a> <a href="https://suma-ev.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://suma-ev.social/tags/liblzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>liblzma</span></a> <a href="https://suma-ev.social/tags/Hintert%C3%BCr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hintertür</span></a></p>
jotbe<p>The xz Issue Isn’t About Open Source | The Changelog</p><p><a href="https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">changelog.complete.org/archive</span><span class="invisible">s/10642-the-xz-issue-isnt-about-open-source</span></a><br><a href="https://chaos.social/tags/rr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rr</span></a> <a href="https://chaos.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://chaos.social/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://chaos.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a></p>
jotbe<p>Putting an xz Backdoor Payload in a Valid RSA Key | rya.nc</p><p><a href="https://rya.nc/xz-valid-n.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">rya.nc/xz-valid-n.html</span><span class="invisible"></span></a></p><p><a href="https://chaos.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://chaos.social/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://chaos.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://chaos.social/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> <a href="https://chaos.social/tags/rsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rsa</span></a> <a href="https://chaos.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a> <a href="https://chaos.social/tags/rr" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rr</span></a></p>
Tinker ☀️<p>Put yourself in Jia Tan's shoes, the malicious contributor to the xz backdoor...</p><p>It's been, what, two... three?... years since you started this campaign. You've had the entire support of your team and of your chain of command.</p><p>Your coders created a complex and sublime backdoor. A secure! backdoor that only you and your team could connect to. Heck it can even be deleted remotely. This is clean code. A responsible hack that doesn't open up the backdoor for others to hijack.</p><p>You spend years on your long con - your social engineering skills are at the top of the game. You've ingratiated yourself painstakingly into multiple teams. Finally it all pays off and you're ready to go!</p><p>You succeed multiple times in getting your backdoor inserted in all the major Linux distributions!!! Now its just a matter of weeks before it makes it to production and stable releases!</p><p>This is the culmination of years of labor and planning and of a massive team and budget.</p><p>You did good.</p><p>This will get you promoted. Esteemed by your colleagues and leadership alike. Your spouse and kids will understsnd why you haven't been at home lately and why you've spent all those late nights at the office.</p><p>It's finally going to pay off.</p><p>But what's this?! Some rando poking around in their box running a pre-release unstable version of linux has found everything?!?! It's all being ripped down?! And on a Friday before a western holiday weekend?!?!</p><p>Fuck. Fuck. FUCK!!!</p><p>Three years for nothing!!! My wife is going to leave me! I missed my kid's recital for this!!! They'll hate me because I told them it was worth it. Daddy will be able to play with you again once Daddy finishes this last bit of work. But it was all for nothing!!!</p><p>Leadership took a big risk on me and my team but I kept assuring them it would pay off!</p><p>It would be one thing if another nation state found it and stopped it. But one random dude poking his nose where it shouldn't belong?! Ohhh fuck, I'm going to be fired. We're going to lose our budget. My team is going to be fired. I've let down everyone that ever believed in me and supported me and relied on me!</p><p>Oh fuck!!!</p><p><a href="https://infosec.exchange/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://infosec.exchange/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> <a href="https://infosec.exchange/tags/xzBackDoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzBackDoor</span></a> <a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://infosec.exchange/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a></p>
Jan Wildeboer 😷:krulorange:<p><a href="https://social.wildeboer.net/tags/JustInCase" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JustInCase</span></a> I have mirrored <span class="h-card" translate="no"><a href="https://social.treehouse.systems/@thesamesam" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>thesamesam</span></a></span> gist at <a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gist.github.com/thesamesam/223</span><span class="invisible">949d5a074ebc3dce9ee78baad9e27</span></a> (the xz backdoor/exploit FAQ) locally and on <a href="https://codeberg.org/jwildeboer/gists/src/branch/main/20240401CVE20243094FAQMirror.md" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">codeberg.org/jwildeboer/gists/</span><span class="invisible">src/branch/main/20240401CVE20243094FAQMirror.md</span></a> Will setup some sort of automatic update script later. I don't think Github will somehow interfere with this FAQ, but hey, better safe than sorry and stuff :)</p><p>This is just a FYI. Please do NOT use my manual mirror of the FAQ and bookmark ONLY the original source.</p><p><a href="https://social.wildeboer.net/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a> <a href="https://social.wildeboer.net/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://social.wildeboer.net/tags/liblzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>liblzma</span></a> <a href="https://social.wildeboer.net/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a></p>
Justin (bsky @jwheel.org)<p>Most of my feed on the <a href="https://floss.social/tags/xzorcist" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzorcist</span></a> <a href="https://floss.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> mess is solution-eering on ideas for paying maintainers. It implies the way to fix this is to simply pay people for their time.</p><p>I am not seeing something else though. Has anyone actually *asked* the maintainer what they want? What if that answer was not money? What if it was "I don't want to do this anymore?"</p><p>Regardless of the answer this time around, we should be prepared to boldly face these types of answers too.</p><p><a href="https://floss.social/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://floss.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://floss.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://floss.social/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a></p>
vict0ni<p>The whole xz story makes me think of what other backdoors we have missed. Just think of some malicious code in popular packages just chilling there, undetected...</p><p><a href="https://infosec.exchange/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a></p>
Newk<p>And again, it pays off that we never patch! The supply chain can't attack you if you don't use what it supplies!</p><p><a href="https://infosec.exchange/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://infosec.exchange/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://infosec.exchange/tags/xzbackdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xzbackdoor</span></a> <a href="https://infosec.exchange/tags/shitpost" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shitpost</span></a></p>
Johan<p>While it doesn't seem like my small servers are vulnerable to <a href="https://mastodon.nu/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a>, and that I usually don't have have SSH open to the interwebs, this thing is bound to become one big mess with even more vulnerabilities popping up as a result... Fun times ahead.</p>
jotbe<p>FAQ: xz-utils backdoor situation · GitHub <a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gist.github.com/thesamesam/223</span><span class="invisible">949d5a074ebc3dce9ee78baad9e27</span></a> <a href="https://chaos.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://chaos.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://chaos.social/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a></p>
PrivacyDigest<p><a href="https://mas.to/tags/RedHat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RedHat</span></a> Issues Urgent Alert For <a href="https://mas.to/tags/Fedora" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fedora</span></a> <a href="https://mas.to/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> Users Due To Malicious Code - Slashdot</p><p><a href="https://mas.to/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a>, designated CVE-2024-3094<br><a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mas.to/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://mas.to/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://mas.to/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a></p><p><a href="https://it.slashdot.org/story/24/03/29/2158259/red-hat-issues-urgent-alert-for-fedora-linux-users-due-to-malicious-code?utm_source=rss1.0mainlinkanon&utm_medium=feed" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">it.slashdot.org/story/24/03/29</span><span class="invisible">/2158259/red-hat-issues-urgent-alert-for-fedora-linux-users-due-to-malicious-code?utm_source=rss1.0mainlinkanon&utm_medium=feed</span></a></p>
StreetDogg<p>Alle <a href="https://norden.social/tags/OSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OSS</span></a>-Maintainer ab jetzt so, wenn ihr Code 0,4 Sekunden länger braucht als erwartet. <a href="https://norden.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://norden.social/tags/SSH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSH</span></a> <a href="https://norden.social/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a></p>
Luka Rubinjoni<p>Manjaro is still shipping the 5.6.1-2 version of the xz package. <a href="https://mastodon.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://mastodon.social/tags/liblzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>liblzma</span></a> <a href="https://mastodon.social/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://mastodon.social/tags/manjaro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>manjaro</span></a> <span class="h-card" translate="no"><a href="https://masto.ai/@manjarolinux" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>manjarolinux</span></a></span> <br><a href="https://software.manjaro.org/package/xz" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">software.manjaro.org/package/x</span><span class="invisible">z</span></a></p>
Poul-Henning Kamp<p>I gave a talk about state actors attacking FOSS, ten years ago, on FOSSDEM:</p><p><a href="https://www.youtube.com/watch?v=3jQoAYRKqhg" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=3jQoAYRKqh</span><span class="invisible">g</span></a></p><p><a href="https://fosstodon.org/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a></p>
Tinker ☀️<p>Just a professional tip to the xz maintainer who put the backdoor in...</p><p>...might wanna go to ground, lol. Hopefully you're working for a government sponsored APT and you can get some safe haven.</p><p>A lot of folks are going to be looking for your head.</p><p>(Edit to include: Here's hoping it wasn't extortion. They'll probably hang out you to dry. Shit sandwich all around.)</p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://infosec.exchange/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://infosec.exchange/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a></p>
Tinker ☀️<p>I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.</p><p>The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.</p><p>Let me state that again. Any quality assurance, security checks, etc., failed to catch this. </p><p>This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.</p><p>This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.</p><p>A couple more weeks, and it would have been in many major distributions without any of us knowing about it.</p><p>The ONLY reason we know about it is because <span class="h-card" translate="no"><a href="https://mastodon.social/@AndresFreundTec" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>AndresFreundTec</span></a></span> got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.</p><p>It was luck.</p><p>That's it. We got lucky this time.</p><p>So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?</p><p>And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.</p><p>Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.</p><p>I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.</p><p>(I also hope they run down any and all packages this person had the signing key for....)</p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://infosec.exchange/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a> <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://infosec.exchange/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a></p>
Tarnkappe.info<p>📬 Backdoor in OpenSSH Server gefunden<br><a href="https://social.tchncs.de/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://social.tchncs.de/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a> <a href="https://social.tchncs.de/tags/OpenSSH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSH</span></a> <a href="https://social.tchncs.de/tags/Sicherheitsk%C3%BCcke" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sicherheitskücke</span></a> <a href="https://sc.tarnkappe.info/d941c4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sc.tarnkappe.info/d941c4</span><span class="invisible"></span></a></p>
CCC Freiburg<p>xz or not xz , thats the question?<br>ugly, mode: alles anzünden</p><p>"Backdoor found in xz liblzma specifically targets the RSA implementation of OpenSSH. Story still developing."</p><p><a href="https://chaos.social/tags/leak" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>leak</span></a> <a href="https://chaos.social/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> <a href="https://chaos.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a> <a href="https://chaos.social/tags/Internet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Internet</span></a> <a href="https://chaos.social/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> <a href="https://chaos.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://chaos.social/tags/rsa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rsa</span></a> <a href="https://chaos.social/tags/libzma" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libzma</span></a> <a href="https://chaos.social/tags/openssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openssh</span></a> <a href="https://chaos.social/tags/CVE20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE20243094</span></a> <a href="https://chaos.social/tags/sicherheitsl%C3%BCcke" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sicherheitslücke</span></a> <br><a href="https://www.youtube.com/watch?v=jqjtNDtbDNI" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">youtube.com/watch?v=jqjtNDtbDN</span><span class="invisible">I</span></a><br><a href="https://openwall.com/lists/oss-security/2024/03/29/4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">openwall.com/lists/oss-securit</span><span class="invisible">y/2024/03/29/4</span></a><br><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">archlinux.org/news/the-xz-pack</span><span class="invisible">age-has-been-backdoored/</span></a><br><a href="https://sc.tarnkappe.info/d941c4" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">sc.tarnkappe.info/d941c4</span><span class="invisible"></span></a></p>
AJ Jordan is @ PyCon US<p>so like... where is Canonical's CVE-2024-3094 (the <a href="https://tech.lgbt/tags/xz" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>xz</span></a> thing)?? SUSE has one out, Red Hat has one out, Debian and Fedora have announcements out. this was under embargo, how is Canonical not on the ball? apparently the embargo was accidentally broken, but still...<br><a href="https://tech.lgbt/tags/cve20243094" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve20243094</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload