Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "News" from version "1.0.1-beta.1" to "1.1.0-beta.1"

Browse Source
This commit is contained in:
inference 2024-04-01 17:13:24 +00:00
parent 39502e7d9a
commit 3c9f3f962a
Signed by: inference
SSH Key Fingerprint: SHA256:K/a677+eHm7chi3X4s77BIpLTE9Vge1tsv+jUL5gI+Y
1 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
news.xhtml
View File

@ -1,7 +1,7 @@
<!DOCTYPE html> <!DOCTYPE html>
<!-- Inferencium - Website - News --> <!-- Inferencium - Website - News -->
<!-- Version: 1.0.1-beta.1 --> <!-- Version: 1.1.0-beta.1 -->
<!-- Copyright 2024 Jake Winters --> <!-- Copyright 2024 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
@ -34,12 +34,54 @@
<nav id="toc"> <nav id="toc">
<h2><a href="#toc">Table of Contents</a></h2> <h2><a href="#toc">Table of Contents</a></h2>
<ul> <ul>
<li><a href="#2024-04-01">2024-04-01</a></li>
<ul>
<li><a href="#key-ssh-update-20240401">SSH Key Update</a></li>
</ul>
<li><a href="#2024-02-01">2024-02-01</a></li> <li><a href="#2024-02-01">2024-02-01</a></li>
<ul> <ul>
<li><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></li> <li><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></li>
</ul> </ul>
</ul> </ul>
</nav> </nav>
<section id="2024-04-01">
<h2><a href="#2024-04-01">2024-04-01</a></h2>
<article id="key-ssh-update-20240401">
<h3><a href="#key-ssh-update-20240401">SSH Key Update</a></h3>
<p>On 2024-03-29, a backdoor was discovered in the
<a href="https://git.tukaani.org/?p=xz.git">xz-utils</a>
software. Inferencium systems <strong><em>did</em></strong> have the affected versions of
this software installed, and the tools were used. The software has since been downgraded to
the last-known safe version.</p>
<p>After extensive research, it
<a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">has been discovered</a>
that specific criteria must be met for the backdoor to be effective. Based on
<strong><em>what is known</em></strong>, Inferencium systems are unaffected by this attack
for the following reasons:</p>
<ul>
<li>Inferencium systems run Gentoo Linux, which does not include Debian and Red Hat
OpenSSH patches.</li>
<li>Inferencium systems use musl libc, not glibc. As musl does not support glibc's
non-standard <code>IFUNC</code> functionality, the backdoor cannot run.</li>
<li>Inferencium systems use Clang as the system compiler, and lld as the system
linker, not GCC and ld.</li>
<li>Inferencium systems use OpenRC as the init system, not systemd. libsystemd and
systemd-notify do not work with OpenRC.</li>
</ul>
<p>The <em>only</em> criteria met by Inferencium systems is amd64 as the system
architecture; this is not enough for the backdoor to be effective. Even if all criteria
other than running glibc were met, Inferencium systems would still be unaffected by this
attack due to musl not supporting the required <code>IFUNC</code> functionality.</p>
<p><strong>Despite the evidence, it is unknown exactly what this malicious code does and is
capable of in entirety. As a precautionary measure, I have generated a new SSH key and
classifed the previous key as compromised. You can find my new key on the
<a href="key.xhtml#ssh-current-2">Key webpage</a>.</strong></p>
<p>There is no evidence that my previous key was compromised, so this is entirely a
precautionary measure. All files and Git commits, tags, and releases signed with the
previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly
signed by me; the key should not be trusted after this date.</p>
</article>
</section>
<section id="2024-02-01"> <section id="2024-02-01">
<h2><a href="#2024-02-01">2024-02-01</a></h2> <h2><a href="#2024-02-01">2024-02-01</a></h2>
<article id="mirror-codeberg"> <article id="mirror-codeberg">