PieFed.caSecurity Researchers Find XZ Utils Backdoored Debian Images on Docker Hub
submitted by
Sunshine (she/her)
news.itsfoss.com/xz-utils-backdoored-debian-ima…
I understand the position that these old containers are not and cannot be supported, but I disagree with the argument that this is a vulnerability in unmaintained software and therefore should not be fixed. It’s malware. One should not knowingly host malware even if the activation of that malware isn’t likely.
Ah yes, I remember the days when the backdoor was still in play.
I have a particular feeling which I want ask you all.
In the last few years, I have seen that some new cyber security firm will come up with a new 'novel' security vulnerability, and media will give those 'vulenrability' huge coverage, but in the end in reality that vulenrability is just of academic interest, and without any real life implications?
There was a 'logo fail' vulnerability, then GitHub 'leaking' credentials (it was bad narrative built around a GitHub feature), and so many more.
All I see is fear mongering with sensationalised media coverage. Am I the only one feeling this way?
Part of it is because journalism is dead and media generally do not understand cyber security.
Second, if it’s a really good bug, you don’t always want to publish it for free. You’re more likely to sell that information. I think those kinds of bugs tend to get exploited and patched under wraps.
https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect
The lead dev for Curl gets a lot of those over-hyped bug reports https://mastodon.social/@bagder