Other Attempts to Take Over Open Source Projects

Read Time:51 Second

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[…]

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

The article includes a list of suspicious patterns, and another list of security best practices.

Read More

glibc-2.37-19.fc38

Read Time:10 Second

FEDORA-2024-f7ae5df88d

Packages in this update:

glibc-2.37-19.fc38

Update description:

This update includes several bug fixes from the upstream glibc release branch, including a fix for CVE-2024-2961.

Read More

glibc-2.38-18.fc39

Read Time:10 Second

FEDORA-2024-9be1b94714

Packages in this update:

glibc-2.38-18.fc39

Update description:

This update includes several bug fixes from the upstream glibc release branch, including a fix for CVE-2024-2961.

Read More

golang-github-prometheus-alertmanager-0.27.0-1.fc41

Read Time:48 Second

FEDORA-2024-8580c06716

Packages in this update:

golang-github-prometheus-alertmanager-0.27.0-1.fc41

Update description:

Automatic update for golang-github-prometheus-alertmanager-0.27.0-1.fc41.

Changelog

* Thu Apr 18 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 0.27.0-1
– Update to 0.27.0 – Closes rhbz#2064711 rhbz#2248329 rhbz#2260773
rhbz#2261192
* Sun Feb 11 2024 Maxwell G <maxwell@gtmx.me> – 0.23.0-20
– Rebuild for golang 1.22.0
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-19
– Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-18
– Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> – 0.23.0-16
– Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

Read More