If you’re running version 5.6.0 or 5.6.1, downgrade immediately.

  • CoolYori [she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    8 months ago

    For me I feel like we have not had any big security stuff since the whole log4j thing. While this seems bigger they have caught it relatively early. I feel like more people had to panic patch Minecraft servers with log4j.

    • yuli [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      7
      ·
      8 months ago

      maybe the libwebp vulnerability deserves a honorable mention, although i don’t think it has had as big an impact, it could’ve been way worse.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      My only reservation is that this compromised contributor has been working on the project for a few years. I hope that this is the end of the tunnel and there aren’t more issues to be uncovered with further analysis.

      • CoolYori [she/her]@hexbear.net
        link
        fedilink
        English
        arrow-up
        11
        ·
        8 months ago

        Its easy to spiral out of control thinking about how the practice that got us this backdoor is something that is used all over the open source community to build code. In the end we can only evaluate what is in front of us and pray the things lurking in the shadows are something we can deal with when they expose themselves.