CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users (fedoramagazine.org)
from petsoi@discuss.tchncs.de to linux@lemmy.ml on 30 Mar 2024 05:46
https://discuss.tchncs.de/post/13398290

#linux

threaded - newest

thurstylark@lemm.ee on 30 Mar 2024 06:24 next collapse

Me: fixes exposure to vuln

Also me: grabs popcorn

This is going to be an interesting story once this all quiets down…

Bitrot@lemmy.sdf.org on 30 Mar 2024 06:37 next collapse

Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

brunacho@scribe.disroot.org on 30 Mar 2024 13:10 next collapse

Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

Bitrot@lemmy.sdf.org on 30 Mar 2024 15:53 collapse

It’s also at git.tukaani.org.

SuperIce@lemmy.world on 30 Mar 2024 07:09 collapse

Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

<img alt="" src="https://lemmy.world/pictrs/image/3eaa7d84-bad5-4d4c-a9f4-19a43bacdb99.png">

theshatterstone54@feddit.uk on 30 Mar 2024 09:26 collapse

Fixes exposure

It says F39 users are not affected. Are you running Rawhide/F40 Beta? p

thurstylark@lemm.ee on 30 Mar 2024 11:31 collapse

Running Arch, so not really exposed, but still had a compromised version installed.

wolf@lemmy.zip on 30 Mar 2024 13:52 next collapse

Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

RedNight@lemmy.ml on 30 Mar 2024 16:19 collapse

This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

wolf@lemmy.zip on 30 Mar 2024 17:52 next collapse

Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.

NotMyOldRedditName@lemmy.world on 30 Mar 2024 16:42 collapse

What about finding someone like this and then blackmailing them?

That would be cheaper

SMillerNL@lemmy.world on 30 Mar 2024 17:30 collapse

xkcd.com/538/

bassomitron@lemmy.world on 30 Mar 2024 23:13 collapse

Lol, too true. It’s either that or honeytraps

wolf@lemmy.zip on 30 Mar 2024 13:53 next collapse

Mandatory XKCD: Dependency

leopold@lemmy.kde.social on 30 Mar 2024 16:06 collapse

actual link xkcd.com/2347/

steal_your_face@lemmy.ml on 30 Mar 2024 16:16 next collapse

Happy it doesn’t affect stable versions

delirious_owl@discuss.online on 31 Mar 2024 15:00 next collapse

Did they intentionally not put the package name in the headline just to draw more clicks? Ffs

annata20@discuss.tchncs.de on 31 Jul 2024 05:00 collapse

CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.