Jan Wildeboer ๐ท
Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
Tim MansfieldJust FTR. The backdoor code was inserted only under very specific circumstances in the build process. Once the problem was identified and after initial analysis made it clear how it worked, immediate action was taken in a coordinated fashion. Affected builds/packages were removed, update systems for affected distributions started delivering forced downgrades. Users of these systems were informed. This all happened in public, in transparent and open ways. All in the first 24 hours. I tip my hat.
Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.
For the impact on #Fedora, please follow the developing story at https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/ - That's the transparency and openness I am talking about.
CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users - Fedora Magazine
Summary: The latest versions of the โxzโ tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries. Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
This #xz backdoor is tracked as CVE-2024-3094 and this CVE was opened by #RedHat. You can find our data on this at https://access.redhat.com/security/cve/CVE-2024-3094 If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which https://nvd.nist.gov/vuln/detail/CVE-2024-3094 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at https://www.openwall.com/lists/oss-security/2024/03/29/4
The FAQ is at https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
I will let this tread rest for a while, as IMHO (In My Humble Opinion) everything we know ATM (At This Moment) is documented in the links I provided and besides making sure our machines have been updated (more precise: downgraded the xz package) there is not much we can do. I will NOT participate in speculations and potentially harmful spreading of rumours. And now I will be taking care of other things on this beautiful day. Thank you all for taking your time to read and comment!
#xz #liblzma backdoor/exploit, CVE-2024-3094
Short update: the best source for up2date information on the history, analysis, fallout and moving forward is now https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
As expected, a lot of motivated but not well-informed or qualified people in the comments are adding fuel to a fire that is effectively under control and almost extinguished, so when you read that FAQ, please ignore most of the comments under it.
CartyBoston"Please Ignore Most of the Comments" is an anthem for our time.
samThank you!
I did consider trying to moderate the comments but github gists are not ideal for this, and I realised it would both end up upsetting people and waste time.
I am trying to ask for calm when things look heated but otherwise decided to just leave it be. Universal law of comment sections...
@thesamesam You are doing a fantastic job with your FAQ and calm approach. My only little bit of advice would be to mark the newest changes with some kind of markup, so repeat readers get some visual indication of what's changed. But that's only for people that don't know how to use the diff function (which is a lot of the superficial people ;)
@jwildeboer Thank you! I will try implement this :)
Michael McCune โฎ๏ธ@jwildeboer hope you enjoy the day =)
phoenix๐ง๐๐๐๐@jwildeboer even more, 1000 eyes are now focussing on the wound, looking for damages and other infections. 1000 eyes that would otherwise do other things are focussing on the one wound, so it can heal.
Once a problem has been identified, the self-healing capabilities are typically given. This is the resilience that is needed for survival. And it is there.
That's the open-source spirit, and it is awesome ๐ค๐
Joe Brockmeier (@jzb)@jwildeboer yesโฆ but. Iโm now wondering if there are other instances we havenโt caught, or caught yet. Seems optimistic to assume that weโve spotted a solitary instance of a very sophisticated approach to sneaking in back doors.
At a minimum, it might be time to revisit the practice of key signing parties and doing more to vet contributors.
@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.
We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.
Crissi (they/fae/she)@jwildeboer @jzb The most important point I read (not sure which of the links was it that linked a mastodon post) was about how this whole situation was driven by developer burnout basically. I don't know how, but we need to find a way to better take care of our deer FOSS devs so they don't burn out and give their project to a malicious actor out of sheer desperation.
Markus Feilner (has moved)@jwildeboer Another great example for the Power of #opensource.