Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add blog post about the xz backdoor #2143

Merged
merged 2 commits into from
Apr 2, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions blog/2024-04-02-xz-backdoor.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
authors:
- core
tags: [security]
---

# About the `xz` backdoor

On March 29th, 2024, at 18:07 UTC, the core team learnt about the [recently disclosed `xz` backdoor](https://www.openwall.com/lists/oss-security/2024/03/29/4), now labeled as [`CVE-2024-3094`](https://nvd.nist.gov/vuln/detail/CVE-2024-3094).

To the best of our knowledge, conda-forge's artifacts for `xz` are _not_ affected.

<!--truncate -->

## Our response

We immediately checked which `xz` artifacts had been published in our channel:

- Our latest build for `xz` (recipe source available in the [`xz-feedstock`](https://github.com/conda-forge/xz-feedstock/blob/main/recipe/meta.yaml)) is for version `5.2.9` and was uploaded on 2022-12-08. See artifacts in [anaconda.org](https://anaconda.org/conda-forge/xz/files).
- The backdoored versions of `xz` belong to the `5.6.x` series.

We are monitoring the situation develop and will update this announcement accordingly if needed.

## Closing thoughts

We, the conda-forge core dev team, want to thank everyone for their patience and support as we have responded to the various security incidents and bugs detailed above. It goes without saying that the public nature of conda-forge's infrastructure carries risks. On the other hand, by being public, anyone can look and verify our artifact builds. Security for conda-forge is about reducing risk, and we will continue to do our best.

As a reminder, we do not recommend that you use conda-forge in environments with sensitive information. conda-forge's software is built by our users and the core dev team cannot verify or guarantee that this software is not malicious or has not been tampered with.

Our best defense against security incidents in conda-forge is you! Our feedstock maintainers are in the best position to notice incidents and issues. Please responsibly report anything you find to us at [email protected] or using the process described in our [Security policy](https://github.com/conda-forge/conda-forge.github.io/security/policy).