Fri Nov 22 01:17:47 2024 EVENTS FREE SOFTWARE INSTITUTE POLITICS JOBS MEMBERS' CORNER MAILING LIST NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice. DATE 2024-04-01 HANGOUT 2024-11-22 | 2024-10-22 | 2024-09-22 | 2024-08-22 | 2024-07-22 | 2024-06-22 | 2024-05-22 | 2024-04-22 | 2024-03-22 | 2024-02-22 | 2024-01-22 | 2023-12-22 | 2023-11-22 | 2023-10-22 | 2023-09-22 | 2023-08-22 | 2023-07-22 | 2023-06-22 | 2023-05-22 | 2023-04-22 | 2023-03-22 | 2023-02-22 | 2023-01-22 | 2022-12-22 | 2022-11-22 | 2022-10-22 | 2022-09-22 | 2022-08-22 | 2022-07-22 | 2022-06-22 | 2022-05-22 | 2022-04-22 | 2022-03-22 | 2022-02-22 | 2022-01-22 | 2021-12-22 | 2021-11-22 | 2021-10-22 | 2021-09-22 | 2021-08-22 | 2021-07-22 | 2021-06-22 | 2021-05-22 | 2021-04-22 | 2021-03-22 | 2021-02-22 | 2021-01-22 | 2020-12-22 | 2020-11-22 | 2020-10-22 | 2020-09-22 | 2020-08-22 | 2020-07-22 | 2020-06-22 | 2020-05-22 | 2020-04-22 | 2020-03-22 | 2020-02-22 | 2020-01-22 | 2019-12-22 | 2019-11-22 | 2019-10-22 | 2019-09-22 | 2019-08-22 | 2019-07-22 | 2019-06-22 | 2019-05-22 | 2019-04-22 | 2019-03-22 | 2019-02-22 | 2019-01-22 | 2018-12-22 | 2018-11-22 | 2018-10-22 | 2018-09-22 | 2018-08-22 | 2018-07-22 | 2018-06-22 | 2018-05-22 | 2018-04-22 | 2018-03-22 | 2018-02-22 | 2018-01-22 | 2017-12-22 | 2017-11-22 | 2017-10-22 | 2017-09-22 | 2017-08-22 | 2017-07-22 | 2017-06-22 | 2017-05-22 | 2017-04-22 | 2017-03-22 | 2017-02-22 | 2017-01-22 | 2016-12-22 | 2016-11-22 | 2016-10-22 | 2016-09-22 | 2016-08-22 | 2016-07-22 | 2016-06-22 | 2016-05-22 | 2016-04-22 | 2016-03-22 | 2016-02-22 | 2016-01-22 | 2015-12-22 | 2015-11-22 | 2015-10-22 | 2015-09-22 | 2015-08-22 | 2015-07-22 | 2015-06-22 | 2015-05-22 | 2015-04-22 | 2015-03-22 | 2015-02-22 | 2015-01-22 | 2014-12-22 | 2014-11-22 | 2014-10-22 | 2014-09-22 | 2014-08-22 | 2014-07-22 | 2014-06-22 | 2014-05-22 | 2014-04-22 | 2014-03-22 | 2014-02-22 | 2014-01-22 | 2013-12-22 | 2013-11-22 | 2013-10-22 | 2013-09-22 | 2013-08-22 | 2013-07-22 | 2013-06-22 | 2013-05-22 | 2013-04-22 | 2013-03-22 | 2013-02-22 | 2013-01-22 | 2012-12-22 | 2012-11-22 | 2012-10-22 | 2012-09-22 | 2012-08-22 | 2012-07-22 | 2012-06-22 | 2012-05-22 | 2012-04-22 | 2012-03-22 | 2012-02-22 | 2012-01-22 | 2011-12-22 | 2011-11-22 | 2011-10-22 | 2011-09-22 | 2011-08-22 | 2011-07-22 | 2011-06-22 | 2011-05-22 | 2011-04-22 | 2011-03-22 | 2011-02-22 | 2011-01-22 | 2010-12-22 | 2010-11-22 | 2010-10-22 | 2010-09-22 | 2010-08-22 | 2010-07-22 | 2010-06-22 | 2010-05-22 | 2010-04-22 | 2010-03-22 | 2010-02-22 | 2010-01-22 | 2009-12-22 | 2009-11-22 | 2009-10-22 | 2009-09-22 | 2009-08-22 | 2009-07-22 | 2009-06-22 | 2009-05-22 | 2009-04-22 | 2009-03-22 | 2009-02-22 | 2009-01-22 | 2008-12-22 | 2008-11-22 | 2008-10-22 | 2008-09-22 | 2008-08-22 | 2008-07-22 | 2008-06-22 | 2008-05-22 | 2008-04-22 | 2008-03-22 | 2008-02-22 | 2008-01-22 | 2007-12-22 | 2007-11-22 | 2007-10-22 | 2007-09-22 | 2007-08-22 | 2007-07-22 | 2007-06-22 | 2007-05-22 | 2007-04-22 | 2007-03-22 | 2007-02-22 | 2007-01-22 | 2006-12-22 | 2006-11-22 | 2006-10-22 | 2006-09-22 | 2006-08-22 | 2006-07-22 | 2006-06-22 | 2006-05-22 | 2006-04-22 | 2006-03-22 | 2006-02-22 | 2006-01-22 | 2005-12-22 | 2005-11-22 | 2005-10-22 | 2005-09-22 | 2005-08-22 | 2005-07-22 | 2005-06-22 | 2005-05-22 | 2005-04-22 | 2005-03-22 | 2005-02-22 | 2005-01-22 | 2004-12-22 | 2004-11-22 | 2004-10-22 | 2004-09-22 | 2004-08-22 | 2004-07-22 | 2004-06-22 | 2004-05-22 | 2004-04-22 | 2004-03-22 | 2004-02-22 | 2004-01-22 | 2003-12-22 | 2003-11-22 | 2003-10-22 | 2003-09-22 | 2003-08-22 | 2003-07-22 | 2003-06-22 | 2003-05-22 | 2003-04-22 | 2003-03-22 | 2003-02-22 | 2003-01-22 | 2002-12-22 | 2002-11-22 | 2002-10-22 | 2002-09-22 | 2002-08-22 | 2002-07-22 | 2002-06-22 | 2002-05-22 | 2002-04-22 | 2002-03-22 | 2002-02-22 | 2002-01-22 | 2001-12-22 | 2001-11-22 | 2001-10-22 | 2001-09-22 | 2001-08-22 | 2001-07-22 | 2001-06-22 | 2001-05-22 | 2001-04-22 | 2001-03-22 | 2001-02-22 | 2001-01-22 | 2000-12-22 | 2000-11-22 | 2000-10-22 | 2000-09-22 | 2000-08-22 | 2000-07-22 | 2000-06-22 | 2000-05-22 | 2000-04-22 | 2000-03-22 | 2000-02-22 | 2000-01-22 | 1999-12-22 Key: Value: Key: Value: MESSAGE DATE 2024-04-25 FROM Ruben Safir SUBJECT Subject: [Hangout - NYLXS] xz backdoor https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 FAQ on the xz-utils backdoor (CVE-2024-3094) This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on. Background On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience. This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it. We're reasonably sure the following things need to be true for your system to be vulnerable: You need to be running a distro that uses glibc (for IFUNC) You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously. We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't. While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma. If you're running a publicly accessible sshd, then you are - as a rule of thumb for those not wanting to read the rest here - likely vulnerable. If you aren't, it is unknown for now, but you should update as quickly as possible because investigations are continuing. TL:DR: Using a .deb or .rpm based distro with glibc and xz-5.6.0 or xz-5.6.1: Using systemd on publicly accessible ssh: update RIGHT NOW NOW NOW Otherwise: update RIGHT NOW NOW but prioritize the former Using another type of distribution: With glibc and xz-5.6.0 or xz-5.6.1: update RIGHT NOW, but prioritize the above. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You are right that he did attack the makefile but the makefile is for the addition of xz to standard opensshd for deb and rpms I don't use debs or rpms -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout 2024-04-01 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #662 - TPRC in Las Vegas 2024-04-03 From: "Free Software Foundation" <info-at-fsf.org> Subject: [Hangout - NYLXS] There are plenty of ways to socialize at 2024-04-02 From: "Free Software Foundation" <info-at-fsf.org> Subject: [Hangout - NYLXS] Free Software Supporter -- Issue 192, April 2024 2024-04-01 From: "Humble Bundle" <contact-at-mailer.humblebundle.com> Subject: [Hangout - NYLXS] =?utf-8?b?SXTigJlzIHRpbWUgdG8gbWFzdGVyIEMjICYg?= 2024-04-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Earthquake 2024-04-05 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout - NYLXS] Earthquake 2024-04-07 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Testimony 2024-04-07 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Amsterdam - Hals Exhibit 2024-04-08 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #663 - No idea 2024-04-10 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] death to america 2024-04-11 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Caliphate in Germany... 2024-04-11 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Oh and BTW - in Iran 2024-04-13 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Now for Something Different - Democracy and 2024-04-13 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] xz exlpoit - and social hacking 2024-04-14 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] German Citizenship 2024-04-15 Touro Graduate School of Technology <info.gst-at-touro.edu> Subject: [Hangout - NYLXS] Get Ahead of the Curve: How AI is Changing Work 2024-04-17 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Racist MTA from the ground up... 2024-04-15 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #664 - German Perl Workshop 2024-04-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] Try something pretty incredable 2024-04-22 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #665 - How to get better at Perl? 2024-04-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout - NYLXS] xz backdoor 2024-04-26 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout - NYLXS] Fwd: Contracting News: April 2024 Vendor 2024-04-29 Gabor Szabo <gabor-at-szabgab.com> Subject: [Hangout - NYLXS] [Perlweekly] #666 - LPW 2024 NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!