research!rsc: The xz attack shell script
Posted on Tuesday, April 2, 2024. Updated Wednesday, April 3, 2024. Introduction Andres Freund published the existence of the xz attack on 2024-03-29 to the public oss-security@openwall mailing list. The day before, he alerted Debian security and the (private) distros@openwall list. In his mail, he says that he dug into this after “observing a few odd symptoms around liblzma (part of the xz packag
XZ Utils backdoor
CVE-2024-3094 XZ Utils 5.6.0 and 5.6.1 release tarballs contain a backdoor. These tarballs were created and signed by Jia Tan. Tarballs created by Jia Tan were signed by him. Any tarballs signed by me were created by me. GitHub accounts of both me (Larhzu) and Jia Tan were suspended. Mine was reinstated on 2024-04-02. xz.tukaani.org (DNS CNAME) was hosted on GitHub pages and thus is down too. It m
GitHub Disables The XZ Repository Following Today's Malicious Disclosure - Phoronix
Show Your Support: Did you know that the hundreds of articles written on Phoronix each month are mostly authored by one individual? Phoronix.com doesn't have a whole news room with unlimited resources and relies upon people reading our content without blocking ads and alternatively by people subscribing to Phoronix Premium for our ad-free service with other extra features. GitHub Disables The XZ R
Everything I know about the XZ backdoor
Everything I Know About the XZ Backdoor stateevergreeninblogdate3/29/2024Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries regarding this backdoor. last updated: 5:30 EST, on April 2nd Update: The GitHub page for xz has been suspended. 2021JiaT75 (Jia Tan) creates their GitHub account. The first commits they make are not to xz, but the
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
Follow @Openwall on Twitter for new release announcements and other news [<prev] [next>] [thread-next>] [day] [month] [year] [list] Date: Fri, 29 Mar 2024 08:51:26 -0700 From: Andres Freund <andres@...razel.de> To: oss-security@...ts.openwall.com Subject: backdoor in upstream xz/liblzma leading to ssh server compromise Hi, After observing a few odd symptoms around liblzma (part of the xz package)
xz-utils backdoor situation (CVE-2024-3094)
xz-backdoor.md FAQ on the xz-utils backdoor (CVE-2024-3094) This is still a new situation. There is a lot we don't know. We don't know if there are more possible exploit paths. We only know about this one path. Please update your systems regardless. This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything abo
liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise - Xe Iaso
UPDATE(M03-29-2024 13:43-EDT): This is CVE-2024-3094. This is a new situation and we are still gathering information. Here is what we know so far: The xz/liblzma project has released versions 5.6.0 and 5.6.1. The combination of this and patches made by some distributions to the interactions between liblzma, libsystemd, and sshd have resulted in a situation where an attacker can compromise a system
Linux Hardening Guide | Madaidan's Insecurities
Last edited: March 19th, 2022 Linux is not a secure operating system. However, there are steps you can take to improve it. This guide aims to explain how to harden Linux as much as possible for security and privacy. This guide attempts to be distribution-agnostic and is not tied to any specific one. DISCLAIMER: Do not attempt to apply anything in this article if you do not know exactly what you ar
UTS #39: Unicode Security Mechanisms
Summary Because Unicode contains such a large number of characters and incorporates the varied writing systems of the world, incorrect usage can expose programs or systems to possible security attacks. This document specifies mechanisms that can be used to detect possible security problems. Status This document has been reviewed by Unicode members and other interested parties, and has been approve
「オンライン本人認証方式の実態調査」報告書について:IPA 独立行政法人 情報処理推進機構
2013年以降、流出した個人のID・パスワード(以後、アカウント)が、不正アクセスに悪用される、“パスワードリスト攻撃“が多発しています(*1)。IPAではこれを受け、インターネットサービスにおける利用者(個人)とサービス事業者双方のオンライン本人認証(*2)の実態調査をおこない、安全なオンライン認証を実現する上での利用者側、サービス事業者側の対策を検討し、優先すべき対策項目を報告書として取りまとめました。 調査結果から、利用者の安全なパスワードに対する認識は決して低くはないが、適切に設定している割合は低い。また、サービス事業者が提供しているパスワード設定のセキュリティレベルは最低限の安全条件を満たしているとは言い難い、という結果が判明しました。調査結果のポイント及び詳細については、以下のプレスリリースや調査報告書をご参照ください。 (*1)本報告書では公開情報をもとに2013年に発生した
XML Schema, DTD, and Entity Attacks / A Compendium of Known Techniques [PDF]
XML Schema, DTD,and Entity Attacks A Compendium of Known Techniques May 19, 2014 Version 1.0 Timothy D.Morgan (@ecbftw) Omar Al Ibrahim (oalibrahim@vsecurity.com) Contents Abstract...............................................................................................................................................................................3 Introduction...............................
「地方公共団体における情報システムセキュリティ要求仕様モデルプラン(Webアプリケーション)」を一般公開しました - 財団法人 地方自治情報センター(LASDEC)
現在位置: ホーム > 情報セキュリティ 対策支援 > 自治体セキュリティ支援室からのお知らせ > 「地方公共団体における情報システムセキュリティ要求仕様モデルプラン(Webアプリケーション)」を一般公開しました 背景 情報システムは住民向けのサービス基盤として欠かせない存在ですが、情報システムを安全に利用する上で避けては通れない問題があります。それが「脆弱性」に関する問題です。 脆弱性とは情報セキュリティ上の弱点のことであり、脆弱性の問題を放置すると、情報の流出や、ホームページ等コンテンツの改ざん、サービスの停止などの問題を引き起こす可能性があります。一見すると安定して動作しているように見えていても脆弱性が内在することもあり、情報システムの調達・構築・運用にあたってこの対処をあらかじめ決めておくことは安定的な運用に欠かせないことです。 特に近年ではWebアプリケーションの脆弱性
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms
Abuse of dangling DNS records on cloud platforms | APNIC Blog
Added error text to warning when untaring with bsdtar by JiaT75 · Pull Request #1609 · libarchive/libarchive
Re: [xz-devel] XZ for Java
AndresFreundTec (@AndresFreundTec@mastodon.social)
Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA
Forged Delegation Injection into Empty Non-Terminal with NSEC3
模倣サイト注意喚起に踊った輩は何が迂闊だったか
