CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users

petsoi@discuss.tchncs.de to Linux@lemmy.ml – 181 points –
CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users - Fedora Magazine
fedoramagazine.org
16

You are viewing a single comment

Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

Agreed. I am more speaking of 'in general', for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other 'cheap' attacks like dependency confusion, typo squatting etc.