113 lines
5.8 KiB
HTML
113 lines
5.8 KiB
HTML
<!DOCTYPE html>
|
|
|
|
<!-- Inferencium - Website - News -->
|
|
<!-- Version: 1.4.0-alpha.1 -->
|
|
|
|
<!-- Copyright 2024 Jake Winters -->
|
|
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
|
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="utf-8"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<link rel="stylesheet" href="main.css"/>
|
|
<link rel="icon shortcut" href="asset/img/logo/inferencium-notext.png"/>
|
|
<title>Inferencium - News</title>
|
|
</head>
|
|
<body>
|
|
<nav class="navbar">
|
|
<div class="logo"><a href="index.xhtml"><img src="asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
|
|
<div class="title"><a href="index.xhtml">Inferencium</a></div>
|
|
<div><a href="about.xhtml">About</a></div>
|
|
<div><a href="news.xhtml">News</a></div>
|
|
<div><a href="documentation.xhtml">Documentation</a></div>
|
|
<div><a href="source.xhtml">Source</a></div>
|
|
<div><a href="changelog.xhtml">Changelog</a></div>
|
|
<div><a href="blog.xhtml">Blog</a></div>
|
|
<div><a href="contact.xhtml">Contact</a></div>
|
|
<div><a href="directory.xhtml">Directory</a></div>
|
|
<div><a href="key.xhtml">Key</a></div>
|
|
<div class="sitemap"><a href="sitemap.xhtml">Sitemap</a></div>
|
|
</nav>
|
|
<h1 id="news"><a href="#news">News</a></h1>
|
|
<nav id="toc">
|
|
<h2><a href="#toc">Table of Contents</a></h2>
|
|
<ul>
|
|
<li><a href="#2024-04-01">2024-04-01</a></li>
|
|
<ul>
|
|
<li><a href="#key-ssh-update-20240401">SSH Key Update</a></li>
|
|
</ul>
|
|
<li><a href="#2024-02-01">2024-02-01</a></li>
|
|
<ul>
|
|
<li><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></li>
|
|
</ul>
|
|
</ul>
|
|
</nav>
|
|
<section id="2024-04-01">
|
|
<h2><a href="#2024-04-01">2024-04-01</a></h2>
|
|
<article id="key-ssh-update-20240401">
|
|
<h3><a href="#key-ssh-update-20240401">SSH Key Update</a></h3>
|
|
<p>On 2024-03-29, a
|
|
<a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">backdoor was publicly disclosed</a>
|
|
in the
|
|
<a href="https://git.tukaani.org/?p=xz.git">XZ Utils</a>
|
|
software. Inferencium systems <strong><em>did</em></strong> have the affected versions of
|
|
this software installed, and the tools were used. The software has since been downgraded to
|
|
the last-known safe version.</p>
|
|
<p>After
|
|
<a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27">extensive research</a>,
|
|
it has been discovered that
|
|
<a href="https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27#design">specific criteria</a>
|
|
must be met for the backdoor to be effective. Based on
|
|
<strong><em>what is known</em></strong>, Inferencium systems are unaffected by this attack
|
|
for the following reasons:</p>
|
|
<ul>
|
|
<li>Inferencium systems run Gentoo Linux, which does not include Debian and Red Hat
|
|
OpenSSH patches.</li>
|
|
<li>Inferencium systems use musl libc, not glibc. As musl does not support glibc's
|
|
non-standard <code>IFUNC</code> functionality, the backdoor cannot run.</li>
|
|
<li>Inferencium systems use Clang as the system compiler, and lld as the system
|
|
linker, not GCC and ld.</li>
|
|
<li>Inferencium systems use OpenRC as the init system, not systemd. libsystemd and
|
|
systemd-notify do not work with OpenRC.</li>
|
|
</ul>
|
|
<p>The <em>only</em> criteria met by Inferencium systems is amd64 as the system
|
|
architecture; this is not enough for the backdoor to be effective. Even if all criteria
|
|
other than running glibc were met, Inferencium systems would still be unaffected by this
|
|
attack due to musl not supporting the required <code>IFUNC</code> functionality which
|
|
the backdoor seems heavily dependent on.</p>
|
|
<p><strong>Despite the evidence, it is unknown exactly what this malicious code does and is
|
|
capable of in entirety. As a precautionary measure, I have generated a new SSH key and
|
|
classified the previous key as compromised. You can find my new key on the
|
|
<a href="key.xhtml#ssh-current-2">Key webpage</a>.</strong></p>
|
|
<p>There is no evidence that my previous key was compromised, so this is entirely a
|
|
precautionary measure. All files and Git commits, tags, and releases signed with the
|
|
previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly
|
|
signed by me; the key should not be trusted after this date.</p>
|
|
<p>I completely support Lasse Collin during this time. Support should be provided to him for
|
|
what occurred to his project and how it was sabotaged. He clearly had good intentions and
|
|
was burnt out from the commitment to his project, which led to Jia Tan taking advantage of
|
|
him. He has posted
|
|
<a href="https://tukaani.org/xz-backdoor/">his own, official statement</a>
|
|
on behalf of the XZ Utils project and how it intends to move forward. Assistance should be
|
|
provided to support both him and the community.</p>
|
|
</article>
|
|
</section>
|
|
<section id="2024-02-01">
|
|
<h2><a href="#2024-02-01">2024-02-01</a></h2>
|
|
<article id="mirror-codeberg">
|
|
<h3><a href="#mirror-codeberg">Source Code Mirror - Codeberg</a></h3>
|
|
<p><a href="https://src.inferencium.net/Inferencium">Inferencium source code repositories</a>
|
|
are now mirrored at
|
|
<a href="https://codeberg.org/Inferencium">Codeberg</a>.
|
|
In case of service disruption of the main Inferencium source code repositories, the mirrors
|
|
can be used to access the source code.</p>
|
|
<p>Due to terms of service restrictions, proprietary code and related repositories, such as
|
|
firmware, are unable to be mirrored to Codeberg.</p>
|
|
</article>
|
|
</section>
|
|
<div class="sitemap-small"><a href="sitemap.xhtml">Sitemap</a></div>
|
|
</body>
|
|
</html>
|