Neal Gompa (ニール・ゴンパ) :fedora:

Lasse Collin (the main #xz maintainer) has now started working on review of #xzorcist (credit to @jwf for the clever name!).

tukaani.org/xz-backdoor/

It's important to note how critical it was caught now: all the commercial distributions are making releases over the next 12-18 months: Red Hat with RHEL 10 in May 2025, SUSE with SLE 16 in fall 2025, and Canonical with Ubuntu 24.04 in April. It was key to infect their upstreams (Fedora, openSUSE, Debian) now.

Fortunately, it failed.

1+
robryk
Follow

@Conan_Kudo @jwf I'm somewhat concerned that the site ignores the hypothesis that the attacker compromised Lasse's dev environment (I think it does by stating free of caveats that tarballs signed by Lasse were created by Lasse).

· · 1 · 0 · 0
Neal Gompa (ニール・ゴンパ) :fedora:

@robryk @jwf The investigation is only just starting. We'll see how it goes in the coming weeks.

0
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy