@AndresFreundTec congrats and thank you for the investigation- IMO this is going to go down as the vuln of the decade. What a find.
@dgilman Unfortunately I suspect we'll see a lot more such attacks going forward, in all likelihood with more success in some cases.
@AndresFreundTec @dgilman
This is insane. I expect full-fledged articles out soon, but another interesting bit in https://news.ycombinator.com/item?id=39866275 :
"the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of it's "great new features""
This is CVE-2024-3094 for easier tracking.
Edited 352d ago