James58899 => Ubuntu 台灣社群: xz 在 GitHub 上发布的 tarball 的 m4 中包含了恶意后门代码。如非特别标注，以下链接中内容均为英文。 oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4 debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094 GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525 Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094 Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094 Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094 SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094 Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094 Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/ Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1 ==== 忙着查资料的被子饼 ==== 目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本，且均已发布回退更新目前确定曾受影响的发行版： Debian unstable/testing between 2024-02-26 and 2024-03-29 Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29 Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29 openSUSE Tumbleweed between 2024-03-07 and 2024-03-28 #660724bf1405f87211829bfa

James58899 says to Ubuntu 台灣社群

xz 在 GitHub 上发布的 tarball 的 m4 中包含了恶意后门代码。如非特别标注，以下链接中内容均为英文。 oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4 debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094 GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525 Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094 Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094 Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094 SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094 Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094 Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/ Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1 ==== 忙着查资料的被子饼 ==== 目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本，且均已发布回退更新目前确定曾受影响的发行版： Debian unstable/testing between 2024-02-26 and 2024-03-29 Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29 Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29 openSUSE Tumbleweed between 2024-03-07 and 2024-03-28

at Sat, Mar 30, 2024 4:29 AM