2 weeks ago (Received 1 week ago) • •
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:
https://tukaani.org/xz-backdoor/review.html
Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:
https://www.openwall.com/lists/oss-security/2024/04/16/5
Noteworthy:- #OpenSSH implemented systemd notification- #systemd moves to dlopen(3) for some dependencies- another detailed timeline at https://research.swtch.com/xz-timeline- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF
Jan Schaumann
in reply to Jan Schaumann • • •Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:
https://www.openwall.com/lists/oss-security/2024/04/16/5
Noteworthy:
- #OpenSSH implemented systemd notification
- #systemd moves to dlopen(3) for some dependencies
- another detailed timeline at https://research.swtch.com/xz-timeline
- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF
research!rsc: Timeline of the xz open source attack
research.swtch.com