| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240329195602.382cb1c99bb70e3d8c6093ae@linux-foundation.org> Date: Fri, 29 Mar 2024 19:56:02 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: Jonathan Corbet <corbet@....net> Cc: Kees Cook <keescook@...omium.org>, Lasse Collin <lasse.collin@...aani.org>, Jia Tan <jiat0218@...il.com>, linux-kernel@...r.kernel.org Subject: Re: [tech-board] [PATCH 00/11] xz: Updates to license, filters, and compression options On Fri, 29 Mar 2024 14:51:41 -0600 Jonathan Corbet <corbet@....net> wrote: > > Andrew (and anyone else), please do not take this code right now. > > > > Until the backdooring of upstream xz[1] is fully understood, we should not > > accept any code from Jia Tan, Lasse Collin, or any other folks associated > > with tukaani.org. It appears the domain, or at least credentials > > associated with Jia Tan, have been used to create an obfuscated ssh > > server backdoor via the xz upstream releases since at least 5.6.0. > > Without extensive analysis, we should not take any associated code. > > It may be worth doing some retrospective analysis of past contributions > > as well... > > > > Lasse, are you able to comment about what is going on here? > > FWIW, it looks like this series has been in linux-next for a few days. > Maybe it needs to come out, for now at least? Yes, I have removed that series.
Powered by blists - more mailing lists