Conclusions from CVE-2024-3094 (libxz disaster)
Oldřich Jedlička
oldium.pro at gmail.com
Sat Mar 30 14:54:00 PDT 2024
Hi,
so 30. 3. 2024 v 16:31 odesílatel Daniel Golle <daniel at makrotopia.org> napsal:
> Hiding a malicious change in a commit is infinitely harder than hiding
> it in a tarball.
Just a note: The malicious code was part of the tarball because it was
part of the main Git repository in the first place. Using Git would
not help in any way in this particular case. Just check [1] together
with findings [2].
[1]: https://git.tukaani.org/?p=xz.git;a=shortlog
[2]: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Cheers
Oldrich.
More information about the openwrt-devel
mailing list