Email or username:

Password:

Forgot your password?
Top-level
Jan Wildeboer 😷:krulorange:

Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.

6 comments
phoenixπŸ§πŸ•πŸžπŸš€πŸ

@jwildeboer even more, 1000 eyes are now focussing on the wound, looking for damages and other infections. 1000 eyes that would otherwise do other things are focussing on the one wound, so it can heal.

Once a problem has been identified, the self-healing capabilities are typically given. This is the resilience that is needed for survival. And it is there.

That's the open-source spirit, and it is awesome πŸ€˜πŸ‘

Jan Wildeboer 😷:krulorange:

For the impact on #Fedora, please follow the developing story at fedoramagazine.org/cve-2024-30 - That's the transparency and openness I am talking about.

Jan Wildeboer 😷:krulorange:

This #xz backdoor is tracked as CVE-2024-3094 and this CVE was opened by #RedHat. You can find our data on this at access.redhat.com/security/cve If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which nvd.nist.gov/vuln/detail/CVE-2 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at openwall.com/lists/oss-securit

This #xz backdoor is tracked as CVE-2024-3094 and this CVE was opened by #RedHat. You can find our data on this at access.redhat.com/security/cve If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which nvd.nist.gov/vuln/detail/CVE-2 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at

Jan Wildeboer 😷:krulorange:

I will let this tread rest for a while, as IMHO (In My Humble Opinion) everything we know ATM (At This Moment) is documented in the links I provided and besides making sure our machines have been updated (more precise: downgraded the xz package) there is not much we can do. I will NOT participate in speculations and potentially harmful spreading of rumours. And now I will be taking care of other things on this beautiful day. Thank you all for taking your time to read and comment!

Joe Brockmeier

@jwildeboer yes… but. I’m now wondering if there are other instances we haven’t caught, or caught yet. Seems optimistic to assume that we’ve spotted a solitary instance of a very sophisticated approach to sneaking in back doors.

At a minimum, it might be time to revisit the practice of key signing parties and doing more to vet contributors.

Jan Wildeboer 😷:krulorange:

@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.

We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.

Go Up