Malicious code in XZ supply chain and releases

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10872
Joined: Sat Aug 03, 2013 5:45 pm

Malicious code in XZ supply chain and releases

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
barbaz
Senior Member
Posts: 10872
Joined: Sat Aug 03, 2013 5:45 pm

Re: Malicious code in XZ supply chain and releases

Post by barbaz »

Now this is interesting: Someone is making the point that because affected versions of xz-utils are GPL-licensed, the malware author and the xz-utils project are both legally required to provide the full source code for the malware (which was distributed only in obfuscated binary form) - github.com/tukaani-project/.github/issues/2

EDIT Broke dead link as both that issue and the account that posted it appear to have been deleted.
Last edited by barbaz on Tue Apr 02, 2024 5:17 pm, edited 1 time in total.
Reason: -
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
User avatar
therube
Ambassador
Posts: 7944
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Malicious code in XZ supply chain and releases

Post by therube »

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 SeaMonkey/2.53.19
Post Reply