Re: Malware find in the news: xz related.

Liste des GroupesRevenir à col misc 
Sujet : Re: Malware find in the news: xz related.
De : nospam (at) *nospam* example.net (D)
Groupes : comp.os.linux.misc
Date : 31. Mar 2024, 21:46:54
Autres entêtes
Organisation : i2pn2 (i2pn.org)
Message-ID : <196482cd-226c-0462-3fb0-f809000a97c3@example.net>
References : 1 2 3 4 5
On Sun, 31 Mar 2024, Carlos E.R. wrote:

On 2024-03-31 18:26, Rich wrote:
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 3/31/24 08:38, John McCue wrote:
Thanks, here is another interesting link that describes how the issue
occurred and indicates why *BSD and Distros like Slackware would not
be vulnerable.
 My understanding is that effectively the differentiating factor of if
a distro is impacted or not is if it uses systemd or not.
 Yes, this seems to have been part of the "connection".
 
Purportedly sshd itself doesn't use xz.
 It does not.  Directly that is.
 
But sshd built on / for systemd distros end up having xz added as a
library / dependency because of systemd compatibility because systemd
does use xz for things.
 Some distros, in their zeal to "systemd all the things" patch OpenSSH
to link it to a systemd library for logging purposes.  That addition of
a systemd library for logging is what ultimately linked the xz/lzma
library into OpenSSH because somewhere in that systemd libraries
dependency chain was libxz/lzma.
 
As such, my supposition is that, things like *BSD, Slackware, and
Gentoo (OpenRC old default) aren't affected because they don't have
-> use systemd.
 They are not, because their OpenSSH is not linked to libxz/lzma in any
way.
 But....  this is nearly a "Reflections on Trusting Trust" [1] level
opsec.  attempt, and so just because BSD/Slackware/Gentoo happen to be
immune this time, does not mean they would be immune to another opsec.
attempt against an OpenSSH direct dependency which might gain a
similarly well hidden backdoor.
>
A well funded bad actor will likely find a target to do their thing. They did not attack systemd directly, but a small auxiliary library from another project, one that had little attention from developers. Once this hole is plugged, they will seek another one.
>
That was a two year investment to plant a mole. There might be others.
>
>
I'm one hundred percent sure state level actors are already doing this in numerous small auxiliary libraries as well as python pip, rust, go and others.
Seems like supply chain attacks will be the new gold when it comes to malicious attacks. =(
Is the open source community equipped to handle this?

Date Sujet#  Auteur
30 Mar 24 * Malware find in the news: xz related.59pH
30 Mar 24 +- Re: Malware find in the news: xz related.1Woozy Song
30 Mar 24 +* Re: Malware find in the news: xz related.2Eli the Bearded
31 Mar 24 i`- Re: Malware find in the news: xz related.1Computer Nerd Kev
31 Mar 24 +* Re: Malware find in the news: xz related.25MarioCCCP
31 Mar 24 i`* Re: Malware find in the news: xz related.24Computer Nerd Kev
31 Mar 24 i `* Re: Malware find in the news: xz related.23Computer Nerd Kev
31 Mar 24 i  +* Re: Malware find in the news: xz related.16D
31 Mar 24 i  i`* Re: Malware find in the news: xz related.15Lew Pitcher
31 Mar 24 i  i +* Re: Malware find in the news: xz related.12Nuno Silva
31 Mar 24 i  i i+- Re: Malware find in the news: xz related.1Lew Pitcher
31 Mar 24 i  i i+- Re: Malware find in the news: xz related.1Rich
31 Mar 24 i  i i`* Re: Malware find in the news: xz related.9Richard Kettlewell
1 Apr 24 i  i i `* Re: Malware find in the news: xz related.8Carlos E.R.
1 Apr 24 i  i i  `* Re: Malware find in the news: xz related.7Rich
2 Apr 24 i  i i   `* Re: Malware find in the news: xz related.6Carlos E.R.
6 Apr 24 i  i i    `* Re: Malware find in the news: xz related.5MarioCCCP
6 Apr 24 i  i i     `* Re: Malware find in the news: xz related.4Rich
6 Apr 24 i  i i      `* Re: Malware find in the news: xz related.3The Natural Philosopher
7 Apr 24 i  i i       +- Re: Malware find in the news: xz related.1Computer Nerd Kev
8 Apr 24 i  i i       `- Re: Malware find in the news: xz related.1Rich
31 Mar 24 i  i +- Re: Malware find in the news: xz related.1D
6 Apr 24 i  i `- Re: Malware find in the news: xz related.1Popping Mad
31 Mar 24 i  +- Re: Malware find in the news: xz related.1Woozy Song
31 Mar 24 i  `* Re: Malware find in the news: xz related.5Carlos E.R.
31 Mar 24 i   +- Re: Malware find in the news: xz related.1David W. Hodgins
31 Mar 24 i   `* Re: Malware find in the news: xz related.3D
31 Mar 24 i    `* Re: Malware find in the news: xz related.2Carlos E.R.
1 Apr 24 i     `- Re: Malware find in the news: xz related.1D
31 Mar 24 `* Re: Malware find in the news: xz related.30John McCue
31 Mar 24  `* Re: Malware find in the news: xz related.29Grant Taylor
31 Mar 24   +* Re: Malware find in the news: xz related.11David W. Hodgins
31 Mar 24   i+* Re: Malware find in the news: xz related.8Rich
31 Mar 24   ii`* Re: Malware find in the news: xz related.7David W. Hodgins
31 Mar 24   ii `* Re: Malware find in the news: xz related.6Lew Pitcher
31 Mar 24   ii  `* Re: Malware find in the news: xz related.5Marco Moock
31 Mar 24   ii   `* Re: Malware find in the news: xz related.4Grant Taylor
31 Mar 24   ii    +- Re: Malware find in the news: xz related.1David W. Hodgins
1 Apr 24   ii    `* Re: Malware find in the news: xz related.2Marco Moock
1 Apr 24   ii     `- Re: Malware find in the news: xz related.1Grant Taylor
31 Mar 24   i`* Re: Malware find in the news: xz related.2Grant Taylor
31 Mar 24   i `- Re: Malware find in the news: xz related.1Marc Haber
31 Mar 24   `* Re: Malware find in the news: xz related.17Rich
31 Mar 24    +* Re: Malware find in the news: xz related.4David W. Hodgins
31 Mar 24    i+* Re: Malware find in the news: xz related.2Grant Taylor
31 Mar 24    ii`- Re: Malware find in the news: xz related.1Richard Kettlewell
31 Mar 24    i`- Re: Malware find in the news: xz related.1D
31 Mar 24    +* Re: Malware find in the news: xz related.7Carlos E.R.
31 Mar 24    i`* Re: Malware find in the news: xz related.6D
31 Mar 24    i +* Re: Malware find in the news: xz related.4Carlos E.R.
31 Mar 24    i i`* Re: Malware find in the news: xz related.3Computer Nerd Kev
1 Apr 24    i i +- Re: Malware find in the news: xz related.1candycanearter07
1 Apr 24    i i `- Re: Malware find in the news: xz related.1John Dallman
6 Apr 24    i `- Re: Malware find in the news: xz related.1Popping Mad
31 Mar 24    `* Re: Malware find in the news: xz related.5Grant Taylor
1 Apr 24     +- Re: Malware find in the news: xz related.1Rich
1 Apr 24     `* Re: Malware find in the news: xz related.3Marco Moock
7 Apr 24      `* Re: Malware find in the news: xz related.2Carlos E.R.
7 Apr 24       `- Re: Malware find in the news: xz related.1John Dallman

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal