social.wildeboer.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon instance for people with Wildeboer as their last name

Server stats:

2
active users

Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.

Just FTR. The backdoor code was inserted only under very specific circumstances in the build process. Once the problem was identified and after initial analysis made it clear how it worked, immediate action was taken in a coordinated fashion. Affected builds/packages were removed, update systems for affected distributions started delivering forced downgrades. Users of these systems were informed. This all happened in public, in transparent and open ways. All in the first 24 hours. I tip my hat.

Jan Wildeboer 😷:krulorange:

Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.

This backdoor is tracked as CVE-2024-3094 and this CVE was opened by . You can find our data on this at access.redhat.com/security/cve If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which nvd.nist.gov/vuln/detail/CVE-2 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at openwall.com/lists/oss-securit

The FAQ is at gist.github.com/thesamesam/223

access.redhat.comcve-details

I will let this tread rest for a while, as IMHO (In My Humble Opinion) everything we know ATM (At This Moment) is documented in the links I provided and besides making sure our machines have been updated (more precise: downgraded the xz package) there is not much we can do. I will NOT participate in speculations and potentially harmful spreading of rumours. And now I will be taking care of other things on this beautiful day. Thank you all for taking your time to read and comment!

backdoor/exploit, CVE-2024-3094

Short update: the best source for up2date information on the history, analysis, fallout and moving forward is now gist.github.com/thesamesam/223

As expected, a lot of motivated but not well-informed or qualified people in the comments are adding fuel to a fire that is effectively under control and almost extinguished, so when you read that FAQ, please ignore most of the comments under it.

Gistxz-utils backdoor situation (CVE-2024-3094)xz-utils backdoor situation (CVE-2024-3094). GitHub Gist: instantly share code, notes, and snippets.