InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Malicious code in XZ supply chain and releases

https://forums.informaction.com/viewtopic.php?t=27130

Page 1 of 1

Malicious code in XZ supply chain and releases

Posted: Sat Mar 30, 2024 8:48 pm
by barbaz
https://security.archlinux.org/CVE-2024-3094
https://arstechnica.com/security/2024/0 ... nnections/
https://gist.github.com/thesamesam/2239 ... 78baad9e27

Re: Malicious code in XZ supply chain and releases

Posted: Sun Mar 31, 2024 4:11 pm
by barbaz
Now this is interesting: Someone is making the point that because affected versions of xz-utils are GPL-licensed, the malware author and the xz-utils project are both legally required to provide the full source code for the malware (which was distributed only in obfuscated binary form) - github.com/tukaani-project/.github/issues/2

EDIT Broke dead link as both that issue and the account that posted it appear to have been deleted.

Re: Malicious code in XZ supply chain and releases

Posted: Tue Apr 02, 2024 3:26 pm
by therube
A Microcosm of the interactions in Open Source projects
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited