xz-backdoor-github
History of commits related to the xz backdoor Discovered On March 29, 2024: CVE-2024-3094. (by emirkmo)
| xz-backdoor-github | VaRA-Tool-Suite | |
|---|---|---|
| 1 | 1 | |
| 10 | 13 | |
| - | - | |
| 5.5 | 8.1 | |
| about 2 months ago | 7 days ago | |
| Python | Python | |
| Apache License 2.0 | BSD 2-clause "Simplified" License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
xz-backdoor-github
Posts with mentions or reviews of xz-backdoor-github.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2024-03-29.
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
I uploaded all GitHub Events from the two suspected users and from their shared project repo as easy to consume CSV files:
https://github.com/emirkmo/xz-backdoor-github
For those who want to see the GitHub events (commits, comments, pull_requets, diffs, etc.)
VaRA-Tool-Suite
Posts with mentions or reviews of VaRA-Tool-Suite.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2024-03-29.
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
I tried to understand the significance of this (parent maybe implied that they reused a completely fictitious identity generated by some test code), and I think this is benign.
That project just includes some metadata about a bunch of sample projects, and it links directly to a mirror of the xz project itself:
https://github.com/se-sic/VaRA-Tool-Suite/blob/982bf9b9cbf64...
I assume it downloads the project, examines the git history, and the test then ensures that the correct author name and email addresses are recognized.
(that said, I haven't checked the rest of the project, so I don't know if the code from xz is then subsequently built, and or if this other project could use that in an unsafe manner)
What are some alternatives?
When comparing xz-backdoor-github and VaRA-Tool-Suite you can also consider the following projects:
stencil-golang - Template repository for Golang applications