Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
floss.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
For people who care about, support, and build Free, Libre, and Open Source Software (FLOSS).

Administered by:

Server stats:

681
active users

floss.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Berto Garcia

This is big: one of the xz-utils / liblzma *upstream maintainers* added malicious code to the last couple of releases. This is the person who actually publishes and signs the tarballs. If you are using liblzma 5.6.0 or 5.6.1 make sure to update your packages asap and consider reinstalling the OS or recreating the container.

openwall.com/lists/oss-securit

www.openwall.comoss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
Berto Garcia

This same person opened an account in Launchpad yesterday to ask the Ubuntu maintainers to please update the package to the latest (infected) version

bugs.launchpad.net/ubuntu/+sou

LaunchpadBug #2059417 “Sync xz-utils 5.6.1-1 (main) from Debian unstable ...” : Bugs : xz-utils package : UbuntuNOTE: THIS IS AN ATTEMPT AT INCLUDING A BACKDOOR. THIS IS LEFT FOR HISTORICAL PURPOSES ONLY AND MUST NOT BE DONE. Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This cou...
Mar 29, 2024, 05:00 PM·Public
10boosts·30favorites
Public
Berto Garcia

Looking back at the archives, there was a certain Jigar Kumar posting to the xz-devel mailing list *two years ago* pressuring the original maintainer to accept help from other people:

mail-archive.com/xz-devel@tuka

mail-archive.com/search?q=Kuma

www.mail-archive.comRe: [xz-devel] XZ for Java
Explore
About