Skip to content

About
Contact

/root

Category: security

Arch Linux announcement about OpenSSH

July 1st, 2024

https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
OpenSSH security advisory

July 1st, 2024

https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc

FreeBSD got a 14.1 p1 update due to this OpenSSH vulnerability
qt5-webengine vulnerabilities

May 20th, 2024

https://www.vuxml.org/freebsd/d58455cc-159e-11ef-83d8-4ccc6adda413.html
OpenSSL – Denial of Service vulnerability

May 18th, 2024

https://www.vuxml.org/freebsd/b88aa380-1442-11ef-a490-84a93843eb75.html
R language vulnerability – arbitrary code execution during deserialization of .rds and .rdx files

May 1st, 2024

https://www.bleepingcomputer.com/news/security/r-language-flaw-allows-code-execution-via-rds-rdx-files

https://www.kb.cert.org/vuls/id/238194
Reverse engineering of the XZ backdoor

April 6th, 2024

Interesting repository trying to reverse engineer the malicious xz code.

“Although no side effects have been observed, it’s recommended to run this code only in a sandbox/virtual machine until the full code has been understood.”

https://github.com/smx-smx/xzre
revealing the features of the XZ backdoor

April 3rd, 2024
xz was discovered by a 500ms lag

March 31st, 2024

The xz backdoor was initially caught by a software engineer at Microsoft. He noticed 500ms lag and thought something was suspicious.

This is the Silver Back Gorilla of nerds. The internet final boss. pic.twitter.com/6IyJQ2tpMm
— vx-underground (@vxunderground) March 30, 2024
“It’s RCE, not auth bypass, and gated/unreplayable.”

March 31st, 2024

https://www.openwall.com/lists/oss-security/2024/03/30/36
xz backdoor’s author was a project’s committer !!

March 30th, 2024

With over 750 commits over the last 2 years, previous xz versions are also not safe.

https://boehs.org/node/everything-i-know-about-the-xz-backdoor
FreeBSD not affected by xz backdoor

March 30th, 2024
1. All supported FreeBSD releases include versions of xz that predate the affected releases.
2. The main, stable/14, and stable/13 branches do include the affected version (5.6.0), but the backdoor components were excluded from the vendor import.
3. Additionally, FreeBSD does not use the upstream’s build tooling, which was a required part of the attack. Lastly, the attack specifically targeted x86_64 Linux systems using glibc.
4. The FreeBSD ports collection does not include xz/liblzma.
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
xz repo in GitHub has been disabled

March 30th, 2024

Crazy stuff

https://github.com/tukaani-project/xz
xz package backdoor!!!

March 29th, 2024

Seems pretty serious! Update your systems now !!!

The vulnerability affects xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1).

Andres Freund noticed odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) and concluded that the xz package has been backdoored.

The backdoor is present in the tarballs released upstream and contains the following line (originally not present in the source code):

After the update:

Running ldd (shared libraries utility) to ensure no linkage between openssh and liblzma.

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://archlinux.org/news/the-xz-package-has-been-backdoored

https://security.archlinux.org/ASA-202403-1
Apple Silicon CPU bug

March 26th, 2024

It is unpatchable, leads to leak of cryptographic keys and uses a novel side-channel attack technique.

https://www.theregister.com/2024/03/22/hardwarelevel_apple_silicon_vulnerability_can
GitHub – security breach affects 12 million auth secrets and keys

March 16th, 2024

“2.6% of the exposed secrets are revoked within the first hour, but a whopping 91.6% remain valid even after five days, which is when GitGuardian stops monitoring their status.”

https://www.bleepingcomputer.com/news/security/over-12-million-auth-secrets-and-keys-leaked-on-github-in-2023

←Previous Page

1 2 3

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Loading Comments...

Write a Comment...

Email (Required)

Name (Required)

Website

Subscribe Subscribed
- /root
- Already have a WordPress.com account? Log in now.