• Thurstylark@lemm.ee
    link
    fedilink
    English
    arrow-up
    44
    ·
    9 months ago

    Me: fixes exposure to vuln

    Also me: grabs popcorn

    This is going to be an interesting story once this all quiets down…

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      50
      ·
      edit-2
      9 months ago

      Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

      And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

      • SuperIce@lemmy.world
        link
        fedilink
        English
        arrow-up
        20
        ·
        9 months ago

        Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

      • Brunacho@scribe.disroot.org
        link
        fedilink
        English
        arrow-up
        10
        ·
        9 months ago

        Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

        gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

      • Thurstylark@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        ·
        9 months ago

        Running Arch, so not really exposed, but still had a compromised version installed.

  • wolf
    link
    fedilink
    English
    arrow-up
    26
    ·
    edit-2
    9 months ago

    Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

    It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

    • RedNight@lemmy.ml
      link
      fedilink
      arrow-up
      12
      ·
      9 months ago

      This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

  • annata20@discuss.tchncs.de
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.