From b7c6c1838f42b567dfcfb6336e485a3231ad89db Mon Sep 17 00:00:00 2001
From: himazawa <himazawa@users.noreply.github.com>
Date: Sun, 31 Mar 2024 09:34:06 +0000
Subject: [PATCH] deploy: 00a5b087c956d52c39ac6d4de76ed02911552a02

---
 en/sitemap.xml                         |  2 +-
 index.xml                              |  8 ++++----
 it/index.xml                           |  6 +++---
 it/posts/index.xml                     |  6 +++---
 it/posts/xz-backdoor/index.html        | 10 +++++-----
 it/posts/xz-backdoor/index.md          |  6 +++---
 it/sitemap.xml                         |  2 +-
 it/tags/backdoor/index.xml             |  6 +++---
 it/tags/cve-2024-3094/index.xml        |  6 +++---
 it/tags/liblzma/index.xml              |  6 +++---
 it/tags/security-engineering/index.xml |  6 +++---
 it/tags/supply-chain/index.xml         |  6 +++---
 it/tags/xz/index.xml                   |  6 +++---
 posts/index.xml                        |  8 ++++----
 posts/xz-backdoor/index.html           | 12 ++++++------
 posts/xz-backdoor/index.md             |  8 ++++----
 sitemap.xml                            |  2 +-
 tags/backdoor/index.xml                |  8 ++++----
 tags/cve-2024-3094/index.xml           |  8 ++++----
 tags/liblzma/index.xml                 |  8 ++++----
 tags/security-engineering/index.xml    |  8 ++++----
 tags/supply-chain/index.xml            |  8 ++++----
 tags/xz/index.xml                      |  8 ++++----
 23 files changed, 77 insertions(+), 77 deletions(-)

diff --git a/en/sitemap.xml b/en/sitemap.xml
index 47410c8..2674d53 100644
--- a/en/sitemap.xml
+++ b/en/sitemap.xml
@@ -1 +1 @@
-<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"><url><loc>https://appsec.space/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/"/></url><url><loc>https://appsec.space/tags/backdoor/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/backdoor/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/backdoor/"/></url><url><loc>https://appsec.space/tags/cve-2024-3094/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/cve-2024-3094/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/cve-2024-3094/"/></url><url><loc>https://appsec.space/tags/liblzma/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/liblzma/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/liblzma/"/></url><url><loc>https://appsec.space/posts/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/"/></url><url><loc>https://appsec.space/tags/security-engineering/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-engineering/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-engineering/"/></url><url><loc>https://appsec.space/tags/supply-chain/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/supply-chain/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/supply-chain/"/></url><url><loc>https://appsec.space/tags/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/"/></url><url><loc>https://appsec.space/posts/xz-backdoor/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/xz-backdoor/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/xz-backdoor/"/></url><url><loc>https://appsec.space/tags/xz/</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/xz/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/xz/"/></url><url><loc>https://appsec.space/categories/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/"/></url><url><loc>https://appsec.space/categories/general-knowledge/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/general-knowledge/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/general-knowledge/"/></url><url><loc>https://appsec.space/tags/infosec/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/infosec/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/infosec/"/></url><url><loc>https://appsec.space/tags/rants/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/rants/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/rants/"/></url><url><loc>https://appsec.space/tags/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-theatre/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-theatre/"/></url><url><loc>https://appsec.space/posts/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/security-theatre/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/security-theatre/"/></url><url><loc>https://appsec.space/categories/blog-news/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/posts/long-time-no-see/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/long-time-no-see/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/long-time-no-see/"/></url><url><loc>https://appsec.space/tags/updates/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/updates/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/updates/"/></url><url><loc>https://appsec.space/tags/ai/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/code-review/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/posts/mycroft-ai-rce/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/vocal-assistant/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/categories/vulnerability-research/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/writeup/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/about/</loc><lastmod>2023-03-21T22:11:59+01:00</lastmod><changefreq>weekly</changefreq><priority>0.5</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/about/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/about/"/></url></urlset>
\ No newline at end of file
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"><url><loc>https://appsec.space/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/"/></url><url><loc>https://appsec.space/tags/backdoor/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/backdoor/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/backdoor/"/></url><url><loc>https://appsec.space/tags/cve-2024-3094/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/cve-2024-3094/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/cve-2024-3094/"/></url><url><loc>https://appsec.space/tags/liblzma/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/liblzma/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/liblzma/"/></url><url><loc>https://appsec.space/posts/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/"/></url><url><loc>https://appsec.space/tags/security-engineering/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-engineering/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-engineering/"/></url><url><loc>https://appsec.space/tags/supply-chain/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/supply-chain/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/supply-chain/"/></url><url><loc>https://appsec.space/tags/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/"/></url><url><loc>https://appsec.space/posts/xz-backdoor/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/xz-backdoor/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/xz-backdoor/"/></url><url><loc>https://appsec.space/tags/xz/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/xz/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/xz/"/></url><url><loc>https://appsec.space/categories/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/"/></url><url><loc>https://appsec.space/categories/general-knowledge/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/general-knowledge/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/general-knowledge/"/></url><url><loc>https://appsec.space/tags/infosec/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/infosec/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/infosec/"/></url><url><loc>https://appsec.space/tags/rants/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/rants/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/rants/"/></url><url><loc>https://appsec.space/tags/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-theatre/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-theatre/"/></url><url><loc>https://appsec.space/posts/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/security-theatre/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/security-theatre/"/></url><url><loc>https://appsec.space/categories/blog-news/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/posts/long-time-no-see/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/long-time-no-see/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/long-time-no-see/"/></url><url><loc>https://appsec.space/tags/updates/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/updates/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/updates/"/></url><url><loc>https://appsec.space/tags/ai/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/code-review/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/posts/mycroft-ai-rce/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/vocal-assistant/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/categories/vulnerability-research/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/tags/writeup/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority></url><url><loc>https://appsec.space/about/</loc><lastmod>2023-03-21T22:11:59+01:00</lastmod><changefreq>weekly</changefreq><priority>0.5</priority><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/about/"/><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/about/"/></url></urlset>
\ No newline at end of file
diff --git a/index.xml b/index.xml
index 3d6896d..3eaff57 100644
--- a/index.xml
+++ b/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/index.xml b/it/index.xml
index ae51ba1..ae72af1 100644
--- a/it/index.xml
+++ b/it/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/posts/index.xml b/it/posts/index.xml
index b836ad4..3928bc0 100644
--- a/it/posts/index.xml
+++ b/it/posts/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/posts/xz-backdoor/index.html b/it/posts/xz-backdoor/index.html
index 7bb8da8..a962536 100644
--- a/it/posts/xz-backdoor/index.html
+++ b/it/posts/xz-backdoor/index.html
@@ -2,10 +2,10 @@
 <meta property="og:description" content="Come probablilmente già sai, xz è stato compromesso.
 Per i non addetti ai lavori xz è una libreria per la compressione dei dati molto utilizzata sopratutto su Linux.
 Il pacchetto è stato usato come entrypoint per l&rsquo;injection di codice malevolo in sshd, modificandone il flusso di autenticazione.
-Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come CVE-2024-3094."><meta property="og:type" content="article"><meta property="og:url" content="https://appsec.space/it/posts/xz-backdoor/"><meta property="og:image" content="https://appsec.space/images/logo.png"><meta property="article:section" content="posts"><meta property="article:published_time" content="2024-03-30T19:49:24+01:00"><meta property="article:modified_time" content="2024-03-31T11:21:25+02:00"><meta property="og:site_name" content="appsec.space"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="https://appsec.space/images/logo.png"><meta name=twitter:title content="La backdoor di xz dalla prospettiva di un Security Engineer"><meta name=twitter:description content="Come probablilmente già sai, xz è stato compromesso.
+Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come CVE-2024-3094."><meta property="og:type" content="article"><meta property="og:url" content="https://appsec.space/it/posts/xz-backdoor/"><meta property="og:image" content="https://appsec.space/images/logo.png"><meta property="article:section" content="posts"><meta property="article:published_time" content="2024-03-30T19:49:24+01:00"><meta property="article:modified_time" content="2024-03-31T11:33:45+02:00"><meta property="og:site_name" content="appsec.space"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="https://appsec.space/images/logo.png"><meta name=twitter:title content="La backdoor di xz dalla prospettiva di un Security Engineer"><meta name=twitter:description content="Come probablilmente già sai, xz è stato compromesso.
 Per i non addetti ai lavori xz è una libreria per la compressione dei dati molto utilizzata sopratutto su Linux.
 Il pacchetto è stato usato come entrypoint per l&rsquo;injection di codice malevolo in sshd, modificandone il flusso di autenticazione.
-Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come CVE-2024-3094."><meta name=application-name content="appsec & stuff"><meta name=apple-mobile-web-app-title content="appsec & stuff"><meta name=theme-color content="#f8f8f8"><link rel="shortcut icon" type=image/x-icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=canonical href=https://appsec.space/it/posts/xz-backdoor/><link rel=prev href=https://appsec.space/it/posts/security-theatre/><link rel=stylesheet href=/css/main.b86bec8a7c1321e2b5e187a36d45cf663cb7b452290988619ab647973ec932afb7b7a921ce9c74fe7748384c262951a8db5334e017a020de16436470a45f21e1.css integrity="sha512-uGvsinwTIeK14YejbUXPZjy3tFIpCYhhmrZHlz7JMq+3t6khzpx0/ndIOEwmKVGo21M04BegIN4WQ2RwpF8h4Q=="><link rel=stylesheet href=/lib/normalize/normalize.min.8235a67a2521ef99fb1e455a5891b022af1653b4ede3cfffcac4e473beee88fbcc1a36bbb3cfdd75fd6df46732032f9d96e30adae9c88b769e1fbf7945cd27e0.css integrity="sha512-gjWmeiUh75n7HkVaWJGwIq8WU7Tt48//ysTkc77uiPvMGja7s8/ddf1t9GcyAy+dluMK2unIi3aeH795Rc0n4A=="><link rel=stylesheet href=/css/color.346090a8e4618da38ff45853421bbd1d5ffa3c25e678a3f0131c9f7d5300e15669f91c74f1ed5fab76e7424a2a6a5619a9dc45f99e04f246e37d8af51295b6ae.css integrity="sha512-NGCQqORhjaOP9FhTQhu9HV/6PCXmeKPwExyffVMA4VZp+Rx08e1fq3bnQkoqalYZqdxF+Z4E8kbjfYr1EpW2rg=="><link rel=stylesheet href=/css/style.min.576f64e626e323b8a4701fb2c2d135ec573b32168ff045421aa6092cf2fd42b2664350a8d27e76f5d1843ca3f40e7eb247bf05283550cfc42275cfa9a68fbfa7.css integrity="sha512-V29k5ibjI7ikcB+ywtE17Fc7MhaP8EVCGqYJLPL9QrJmQ1Co0n529dGEPKP0Dn6yR78FKDVQz8Qidc+ppo+/pw=="><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="><noscript><link rel=stylesheet href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="></noscript><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="><noscript><link rel=stylesheet href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="></noscript><script type=application/ld+json>{"@context":"http://schema.org","@type":"BlogPosting","headline":"La backdoor di xz dalla prospettiva di un Security Engineer","inLanguage":"it","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/appsec.space\/it\/posts\/xz-backdoor\/"},"genre":"posts","keywords":"backdoor, CVE-2024-3094, xz, liblzma, supply-chain, security-engineering","wordcount":1548,"url":"https:\/\/appsec.space\/it\/posts\/xz-backdoor\/","datePublished":"2024-03-30T19:49:24+01:00","dateModified":"2024-03-31T11:21:25+02:00","publisher":{"@type":"Organization","name":"himazawa"},"author":{"@type":"Person","name":"himazawa"},"description":""}</script><script src=//instant.page/5.2.0 defer type=module integrity=sha384-jnZyxPjiipYXnSU0ygqeac2q7CVYMbh84q0uHVRRxEtvFPiQYbXWUorga2aqZJ0z></script></head><body header-desktop=fixed header-mobile=auto><script type=text/javascript>function setTheme(e){document.body.setAttribute("theme",e),document.documentElement.style.setProperty("color-scheme",e==="light"?"light":"dark"),window.theme=e,window.isDark=window.theme!=="light"}function saveTheme(e){window.localStorage&&localStorage.setItem("theme",e)}function getMeta(e){const t=document.getElementsByTagName("meta");for(let n=0;n<t.length;n++)if(t[n].getAttribute("name")===e)return t[n];return""}if(window.localStorage&&localStorage.getItem("theme")){let e=localStorage.getItem("theme");e==="light"||e==="dark"||e==="black"?setTheme(e):setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light")}else"auto"==="light"||"auto"==="dark"||"auto"==="black"?(setTheme("auto"),saveTheme("auto")):(saveTheme("auto"),setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light"));let metaColors={light:"#f8f8f8",dark:"#252627",black:"#000000"};getMeta("theme-color").content=metaColors[document.body.getAttribute("theme")],window.switchThemeEventSet=new Set</script><div id=back-to-top></div><div id=mask></div><div class=wrapper><header class=desktop id=header-desktop><div class=header-wrapper><div class=header-title><a href=/it/ title="appsec & stuff"><img class=logo loading=lazy src=/images/circle_cropped_logo.png srcset="/images/circle_cropped_logo.png, /images/circle_cropped_logo.png 1.5x, /images/circle_cropped_logo.png 2x" sizes=auto alt=/images/circle_cropped_logo.png title=/images/circle_cropped_logo.png></a></div><div class=menu><div class=menu-inner><a class=menu-item href=/it/posts/>Post </a><a class=menu-item href=/it/categories/>Categorie </a><a class=menu-item href=/it/about/>About me </a><span class="menu-item delimiter"></span><a href=javascript:void(0); class="menu-item language" title="Scegliere la lingua">Italiano<i class="fas fa-chevron-right fa-fw"></i>
+Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come CVE-2024-3094."><meta name=application-name content="appsec & stuff"><meta name=apple-mobile-web-app-title content="appsec & stuff"><meta name=theme-color content="#f8f8f8"><link rel="shortcut icon" type=image/x-icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=canonical href=https://appsec.space/it/posts/xz-backdoor/><link rel=prev href=https://appsec.space/it/posts/security-theatre/><link rel=stylesheet href=/css/main.b86bec8a7c1321e2b5e187a36d45cf663cb7b452290988619ab647973ec932afb7b7a921ce9c74fe7748384c262951a8db5334e017a020de16436470a45f21e1.css integrity="sha512-uGvsinwTIeK14YejbUXPZjy3tFIpCYhhmrZHlz7JMq+3t6khzpx0/ndIOEwmKVGo21M04BegIN4WQ2RwpF8h4Q=="><link rel=stylesheet href=/lib/normalize/normalize.min.8235a67a2521ef99fb1e455a5891b022af1653b4ede3cfffcac4e473beee88fbcc1a36bbb3cfdd75fd6df46732032f9d96e30adae9c88b769e1fbf7945cd27e0.css integrity="sha512-gjWmeiUh75n7HkVaWJGwIq8WU7Tt48//ysTkc77uiPvMGja7s8/ddf1t9GcyAy+dluMK2unIi3aeH795Rc0n4A=="><link rel=stylesheet href=/css/color.346090a8e4618da38ff45853421bbd1d5ffa3c25e678a3f0131c9f7d5300e15669f91c74f1ed5fab76e7424a2a6a5619a9dc45f99e04f246e37d8af51295b6ae.css integrity="sha512-NGCQqORhjaOP9FhTQhu9HV/6PCXmeKPwExyffVMA4VZp+Rx08e1fq3bnQkoqalYZqdxF+Z4E8kbjfYr1EpW2rg=="><link rel=stylesheet href=/css/style.min.576f64e626e323b8a4701fb2c2d135ec573b32168ff045421aa6092cf2fd42b2664350a8d27e76f5d1843ca3f40e7eb247bf05283550cfc42275cfa9a68fbfa7.css integrity="sha512-V29k5ibjI7ikcB+ywtE17Fc7MhaP8EVCGqYJLPL9QrJmQ1Co0n529dGEPKP0Dn6yR78FKDVQz8Qidc+ppo+/pw=="><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="><noscript><link rel=stylesheet href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="></noscript><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="><noscript><link rel=stylesheet href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="></noscript><script type=application/ld+json>{"@context":"http://schema.org","@type":"BlogPosting","headline":"La backdoor di xz dalla prospettiva di un Security Engineer","inLanguage":"it","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/appsec.space\/it\/posts\/xz-backdoor\/"},"genre":"posts","keywords":"backdoor, CVE-2024-3094, xz, liblzma, supply-chain, security-engineering","wordcount":1548,"url":"https:\/\/appsec.space\/it\/posts\/xz-backdoor\/","datePublished":"2024-03-30T19:49:24+01:00","dateModified":"2024-03-31T11:33:45+02:00","publisher":{"@type":"Organization","name":"himazawa"},"author":{"@type":"Person","name":"himazawa"},"description":""}</script><script src=//instant.page/5.2.0 defer type=module integrity=sha384-jnZyxPjiipYXnSU0ygqeac2q7CVYMbh84q0uHVRRxEtvFPiQYbXWUorga2aqZJ0z></script></head><body header-desktop=fixed header-mobile=auto><script type=text/javascript>function setTheme(e){document.body.setAttribute("theme",e),document.documentElement.style.setProperty("color-scheme",e==="light"?"light":"dark"),window.theme=e,window.isDark=window.theme!=="light"}function saveTheme(e){window.localStorage&&localStorage.setItem("theme",e)}function getMeta(e){const t=document.getElementsByTagName("meta");for(let n=0;n<t.length;n++)if(t[n].getAttribute("name")===e)return t[n];return""}if(window.localStorage&&localStorage.getItem("theme")){let e=localStorage.getItem("theme");e==="light"||e==="dark"||e==="black"?setTheme(e):setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light")}else"auto"==="light"||"auto"==="dark"||"auto"==="black"?(setTheme("auto"),saveTheme("auto")):(saveTheme("auto"),setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light"));let metaColors={light:"#f8f8f8",dark:"#252627",black:"#000000"};getMeta("theme-color").content=metaColors[document.body.getAttribute("theme")],window.switchThemeEventSet=new Set</script><div id=back-to-top></div><div id=mask></div><div class=wrapper><header class=desktop id=header-desktop><div class=header-wrapper><div class=header-title><a href=/it/ title="appsec & stuff"><img class=logo loading=lazy src=/images/circle_cropped_logo.png srcset="/images/circle_cropped_logo.png, /images/circle_cropped_logo.png 1.5x, /images/circle_cropped_logo.png 2x" sizes=auto alt=/images/circle_cropped_logo.png title=/images/circle_cropped_logo.png></a></div><div class=menu><div class=menu-inner><a class=menu-item href=/it/posts/>Post </a><a class=menu-item href=/it/categories/>Categorie </a><a class=menu-item href=/it/about/>About me </a><span class="menu-item delimiter"></span><a href=javascript:void(0); class="menu-item language" title="Scegliere la lingua">Italiano<i class="fas fa-chevron-right fa-fw"></i>
 <select class=language-select title="Scegliere la lingua" id=language-select-desktop onchange="location=this.value"><option value=/posts/xz-backdoor/>English</option><option value=/it/posts/xz-backdoor/ selected>Italiano</option></select>
 </a><span class="menu-item search" id=search-desktop><input type=text placeholder="Cerca il titolo o il contenuto dell'articolo ..." id=search-input-desktop>
 <a href=javascript:void(0); class="search-button search-toggle" id=search-toggle-desktop title=Cerca><i class="fas fa-search fa-fw"></i>
@@ -23,12 +23,12 @@
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#componenti-impattate>Componenti impattate</a></li><li><a href=#considerazioni>Considerazioni</a><ul><li><a href=#il-comportamento-di-github>Il comportamento di GitHub</a></li><li><a href=#i-downgrade>I downgrade</a></li></ul></li><li><a href=#come-si-previene-questo-fenomeno>Come si previene questo fenomeno?</a><ul><li><a href=#problemi-di-fiducia>Problemi di fiducia</a></li><li><a href=#statistiche-di-github>Statistiche di GitHub</a></li><li><a href=#engagement-della-community>Engagement della community</a></li><li><a href=#fondi-e-supporto>Fondi e supporto</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#controlli-ricorsivi>Controlli Ricorsivi</a></li></ul></li><li><a href=#risorse>Risorse</a></li></ul></nav></div></div><div class=content id=content><p>Come probablilmente già sai, <code>xz</code> è stato compromesso.
 Per i non addetti ai lavori <code>xz</code> è una libreria per la compressione dei dati molto utilizzata sopratutto su Linux.</p><p>Il pacchetto è stato usato come entrypoint per l&rsquo;injection di codice malevolo in <code>sshd</code>, modificandone il flusso di autenticazione.</p><p>Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-3094 target=_blank rel="noopener noreferrer">CVE-2024-3094</a>.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>La situazione si sta ancora evolvendo, maggiori dettagli emergeranno nel prossimo futuro e aggiornerò il post di conseguenza.</div></div></div><p>Si tratta probabilmente di un&rsquo;operazione a tutti gli effetti vista la metodologia e la durata (quasi due anni), ma non sono la persona giusta per parlare di attributions, OpSec e Threat Actors.
 Nella sezione &ldquo;Risorse&rdquo; in fondo alla pagina ci sono link che riportano ad analisi più dettagliate.</p><p>La situazione non sembra rosea quindi sto provando a scrivere questo blogpost in modo tale da fare un pò di chiarezza.</p><p>Non voglio trattare aspetti troppo tecnici della compromissione ma voglio guardare alla issue dalla prospettiva di un Security Engineer, riassumendo cosa è andato storto e quali sono le possibili remediation a questo problema.</p><h2 id=timeline class=headerLink><a href=#timeline class=header-mark></a>1 Timeline</h2><div class="details admonition tip"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Controlla la sezione Risorse per i link ad una timeline più dettagliata</div></div></div><ul><li><p><strong>2023</strong>:</p><ul><li>Un nuovo maintainer appare sul progetto <code>xz</code></li><li>A new maintainer shows up in the <code>xz</code> project</li></ul></li><li><p><strong>29 Mar 2024</strong>:</p><ul><li><p>Andres Freund invia un&rsquo;email alla mailing list oss-security che riguarda una backdoor in <code>xz/liblzma</code>.
-Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sospettosamente&rdquo; lento (parliamo di 400ms di differenza, difficilmente notabili a meno che non si stia facendo micro ottimizzazione). Qualche debug dopo si è accorto che la problmatica di performace era probabilmente causata dal codice della backdoor. L&rsquo;analisi iniziale è stata fatta con l&rsquo;aiuto di Florian Weimer.</p></li><li><p>Le distribuzioni impattate (che quindi contenevano il pacchetto <code>xz</code>) hanno cominciato a rilasciare patch di downgrade a una versione precedente</p></li></ul></li><li><p><strong>30 Mar 2024</strong>:</p><ul><li><p>GitHub ha bloccato l&rsquo;accesso al repository e ha sospeso l&rsquo;account di entrambi i maintainer di <code>xz</code></p></li><li><p>Un <a href=https://tukaani.org/xz-backdoor/ target=_blank rel="noopener noreferrer">comunicato ufficiale</a> è stato rilasciato dal maintainer del progetto</p></li></ul></li></ul><h2 id=componenti-impattate class=headerLink><a href=#componenti-impattate class=header-mark></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p><p>Distribuzioni:</p><ul><li>Arch</li><li><a href=https://security-tracker.debian.org/tracker/CVE-2024-3094 target=_blank rel="noopener noreferrer">Debian Sid</a></li><li>Gentoo</li><li><a href=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users target=_blank rel="noopener noreferrer">Fedora 40</a></li><li>Manjaro Testing</li><li>Parabola</li><li>NixOS Unstable</li><li>Slackware</li><li><a href=https://news.opensuse.org/2024/03/29/xz-backdoor/ target=_blank rel="noopener noreferrer">SUSE Tumbleweed</a></li><li><a href=https://infosec.exchange/@kalilinux/112180505434870941 target=_blank rel="noopener noreferrer">Kali Linux</a></li></ul><p>Il pacchetto con la backdoor è inoltre contenuto nei seguenti package manager:</p><ul><li>Homebrew</li><li>MacPorts</li><li>pkgsrc</li></ul><p>Al momento sappiamo che ci sono dei controlli nel codice della backdoor che riguardano <a href=https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27#design target=_blank rel="noopener noreferrer">specificatamente le istanze di Linux x86_64/amd64</a> quindi il numero dei target effettivi potrebbe essere ridotto (relativamente) ma la situazione è poco chiara, non raccomanderei di tenere un pacchetto compromesso sul sistema.</p><h2 id=considerazioni class=headerLink><a href=#considerazioni class=header-mark></a>3 Considerazioni</h2><h3 id=il-comportamento-di-github class=headerLink><a href=#il-comportamento-di-github class=header-mark></a>3.1 Il comportamento di GitHub</h3><p>Le ragioni dietro il blocco dei repository di <code>xz</code> è ancora un mistero per me, specialmente sapendo che con il codice disponibile è possibile anche fare ulteriori analisi e avere uno scenario più chiaro della compromissione.</p><p>Il blocco dell&rsquo;accesso ai sortgenti di <code>xz</code> è un fattore che rallenterà l&rsquo;arrivo delle analisi, che è un male in una situazione time-critical come questa.</p><h3 id=i-downgrade class=headerLink><a href=#i-downgrade class=header-mark></a>3.2 I downgrade</h3><p>La patch strategy per praticamente tutti è stata di forzare il downgrade dalle versioni <code>5.6.0</code>-<code>5.6.1</code> ad una precedente.
+Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sospettosamente&rdquo; lento (parliamo di 400ms di differenza, difficilmente notabili a meno che non si stia facendo micro ottimizzazione). Qualche debug dopo si è accorto che la problmatica di performace era probabilmente causata dal codice della backdoor. L&rsquo;analisi iniziale è stata fatta con l&rsquo;aiuto di Florian Weimer.</p></li><li><p>Le distribuzioni impattate (che quindi contenevano il pacchetto <code>xz</code>) hanno cominciato a rilasciare patch di downgrade a una versione precedente</p></li></ul></li><li><p><strong>30 Mar 2024</strong>:</p><ul><li><p>GitHub ha bloccato l&rsquo;accesso al repository e ha sospeso l&rsquo;account di entrambi i maintainer di <code>xz</code></p></li><li><p>Un <a href=https://tukaani.org/xz-backdoor/ target=_blank rel="noopener noreferrer">comunicato ufficiale</a> è stato rilasciato dal maintainer del progetto</p></li></ul></li></ul><h2 id=componenti-impattate class=headerLink><a href=#componenti-impattate class=header-mark></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p><p>Distribuzioni:</p><ul><li><a href=https://archlinux.org/news/the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Arch</a></li><li><a href=https://security-tracker.debian.org/tracker/CVE-2024-3094 target=_blank rel="noopener noreferrer">Debian Sid</a></li><li><a href=https://bugs.gentoo.org/928134 target=_blank rel="noopener noreferrer">Gentoo</a></li><li><a href=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users target=_blank rel="noopener noreferrer">Fedora 40</a></li><li>Manjaro Testing</li><li><a href=https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Parabola</a></li><li>NixOS Unstable</li><li>Slackware</li><li><a href=https://news.opensuse.org/2024/03/29/xz-backdoor/ target=_blank rel="noopener noreferrer">SUSE Tumbleweed</a></li><li><a href=https://infosec.exchange/@kalilinux/112180505434870941 target=_blank rel="noopener noreferrer">Kali Linux</a></li></ul><p>Il pacchetto con la backdoor è inoltre contenuto nei seguenti package manager:</p><ul><li>Homebrew</li><li>MacPorts</li><li>pkgsrc</li></ul><p>Al momento sappiamo che ci sono dei controlli nel codice della backdoor che riguardano <a href=https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27#design target=_blank rel="noopener noreferrer">specificatamente le istanze di Linux x86_64/amd64</a> quindi il numero dei target effettivi potrebbe essere ridotto (relativamente) ma la situazione è poco chiara, non raccomanderei di tenere un pacchetto compromesso sul sistema.</p><h2 id=considerazioni class=headerLink><a href=#considerazioni class=header-mark></a>3 Considerazioni</h2><h3 id=il-comportamento-di-github class=headerLink><a href=#il-comportamento-di-github class=header-mark></a>3.1 Il comportamento di GitHub</h3><p>Le ragioni dietro il blocco dei repository di <code>xz</code> è ancora un mistero per me, specialmente sapendo che con il codice disponibile è possibile anche fare ulteriori analisi e avere uno scenario più chiaro della compromissione.</p><p>Il blocco dell&rsquo;accesso ai sortgenti di <code>xz</code> è un fattore che rallenterà l&rsquo;arrivo delle analisi, che è un male in una situazione time-critical come questa.</p><h3 id=i-downgrade class=headerLink><a href=#i-downgrade class=header-mark></a>3.2 I downgrade</h3><p>La patch strategy per praticamente tutti è stata di forzare il downgrade dalle versioni <code>5.6.0</code>-<code>5.6.1</code> ad una precedente.
 Qualcuno(homebrew, per esempio), ha forzato il downgrade alla versione <code>5.4.6</code>.</p><p>Questo è interessante perchè sicurametne sappiamo che c&rsquo;è una backdoor sulle versioni <code>5.6.0</code>-<code>5.6.1</code>, ma sappiamo anche che l&rsquo;attaccante ha lavorato sul repository per più di due anni.</p><p>La versione <code>5.4.6</code>, ad esempio, è stata anch&rsquo;essa compilata dall&rsquo;attaccante e non dovrebbe essere considerata safe.
 Ancora una volta, grazie GitHub per aver bloccato l&rsquo;accesso ai sorgenti e contribuito a far capire ancora meno la situazione.</p><h2 id=come-si-previene-questo-fenomeno class=headerLink><a href=#come-si-previene-questo-fenomeno class=header-mark></a>4 Come si previene questo fenomeno?</h2><p>Come ho detto all&rsquo;inizio del post, non voglio scendere troppo in profondità con l&rsquo;analisi tecnica della backdoor, per due ragioni principali: con l&rsquo;accesso al codice sorgente bloccato <a href=https://github.com/xz-mirror/xz target=_blank rel="noopener noreferrer">solo un archivio</a> (al momento della scrittura) è disponibile, le informazioni sono incomplete e non vorrei davvero reversare il binario di <code>xz</code>.</p><p>Inoltre, e questo è il motivo più importante, persone con più conoscienze di me sul modo di operare dei Threat Actors ci stanno già lavorando.
 Non appena verranno pubblicati i primi articoli tecnici saranno disponibili nella sezione &ldquo;Risorse&rdquo;, in fondo alla pagina</p><p>Una cosa che però posso fare qui è mostrare il punto di vista di un Security Engineer sul problema, come avrei mitigato la situazione e quali step sono andati storti.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>TL;DR: non esiste una reale soluzione al problema</div></div></div><h3 id=problemi-di-fiducia class=headerLink><a href=#problemi-di-fiducia class=header-mark></a>4.1 Problemi di fiducia</h3><p><figure><a class=lightgallery href=https://imgs.xkcd.com/comics/dependency_2x.png title=https://imgs.xkcd.com/comics/dependency_2x.png data-thumbnail=https://imgs.xkcd.com/comics/dependency_2x.png><img loading=lazy src=https://imgs.xkcd.com/comics/dependency_2x.png srcset="https://imgs.xkcd.com/comics/dependency_2x.png, https://imgs.xkcd.com/comics/dependency_2x.png 1.5x, https://imgs.xkcd.com/comics/dependency_2x.png 2x" sizes=auto alt=https://imgs.xkcd.com/comics/dependency_2x.png></a></figure></p><p><code>xz</code> è un software mantenuto (fino al 2023) da una singola persona. Successivamente un altro maintainer è arrivato ma sfortunatamente per noi, è la stessa persona che ha inviato la backdoor upstream. Questo ovviamente va in conflitto col fatto che <code>xz</code> sia un pacchetto incredbilimente popolare in tantissime distribuzioni e parte delle dipednenze di numerosi software.</p><p>Probabilmente questo è stato visto dall&rsquo;attaccante come una miniera d&rsquo;oro dal momento che risultava facile riuscire a farsi affidare il ruolo di maintainer e pubblicare codice malevolo.</p><p>Dovendo fare affidamento a codice di terze parti per la supply chain, è necessario avere fiducia in qualcuno a un certo punto.
 Quando si parla di Supply Chain security, le raccomandazioni sono sempre le stesse: pin degli hash e verifica delle firme.</p><p>Questo funziona fino a quando ci troviamo in scenari dove un attaccante ha compromesso la CICD della dipedenza e invia build malevole, un account è stato compromesso etc.</p><p>Ma cosa si può fare se, tutto a un tratto, un maintainer fidato si rivela malevolo?</p><p>Da utente standard, a meno che tu non voglia (e sia capace) di fare code review a ogni singolo commit di ogni singolo pezzo di software con cui interagisce il tuo sistema operativo: più o meno nulla.</p><p>Dall&rsquo;altro lato, i developers e gli owner dei repsitory dovrebbero aumentare i controlli della loro supply chain includendo metriche più strette al fine di escludere pacchetti con alto rischio.</p><p>Una delle cose più ricorrenti che si sentono quando si parla si Open Source e Security sono le persone che credono che, dal momento che il codice sorgente è disponibile, magicamente risulta sicuro.</p><p>Uno dei fattori spesso trascurato è l&rsquo;assunzione che avere accesso al sorgente si traduce automaticamente in un pool maggiore di occhi che cercano problemi e vulnerabilità.</p><p>L&rsquo;efficacia di queste review dipende principamente dal livello di coinvolgimento della community e dall&rsquo;esperienza delle persone che poi quel codice effettivamente lo leggono, e di solito non è tanto. Molti progetti ricevono pochissima attenzione e solo pochi contribuiscono attivamente ai processi di review. Come risultato, le vulnerabilità (intenzionali o meno) possono passare inosservate per lunghi periodi di tempo, creando un rischio significante per gli utenti.</p><p>Ogni volta che una discussione come questa si riapre, mi torna in mente il <a href=https://blog.infosectcbr.com.au/2018/11/pitfalls-using-strcat.html target=_blank rel="noopener noreferrer">&ldquo;Mese di Kali&rdquo; di InfosectCBR</a>, dove <a href=https://twitter.com/silviocesare target=_blank rel="noopener noreferrer">Silvio Cesare</a> ha passato un mese a trovare e pubblicare vulnerabilità nei software contenuti nei repository di Kali Linux.</p><p>Di seguito riporto una lista (parziale) di fattori che potrebbero contribuire a ridurre il rischio:</p><h3 id=statistiche-di-github class=headerLink><a href=#statistiche-di-github class=header-mark></a>4.2 Statistiche di GitHub</h3><p>Giusto per essere chiaro fin dall&rsquo;inizio: No, non si può fare affidamento su queste metriche.</p><p>Esiste un mercato sulla compravendita di statistiche di GitHub come stelle, fork etc.
 Puoi trovare un buon articolo qui: <a href=https://dagster.io/blog/fake-stars target=_blank rel="noopener noreferrer">https://dagster.io/blog/fake-stars</a></p><h3 id=engagement-della-community class=headerLink><a href=#engagement-della-community class=header-mark></a>4.3 Engagement della community</h3><p>Valutare sempre la dimensione e l&rsquo;engagement della community che circonda il progetto.</p><p>Una community grande ed attiva può fornire occhi aggiuntivi sulle code review, i bug report etc.</p><p><code>xz</code> aveva letteralmente 2 maintainers e uno dei due è risultato essere l&rsquo;attore malevolo.</p><h3 id=fondi-e-supporto class=headerLink><a href=#fondi-e-supporto class=header-mark></a>4.4 Fondi e supporto</h3><p>Condsiderare sempre l&rsquo;aspetto economico del progetto e da chi sta venendo finanziato. I progetti con dei fondi dedicati tendono ad avere risorse aggiuntive per i security audit e la manutenzione del codice e soprattutto è meno probabile che vengano abbandonati.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Ricorda: si vuole fare affidamento su quel codice per l&rsquo;intera settimana, non solo durante il tempo libero del maintainer. I progetti con un buon supporto finanziario è molto più probabile divengano lavori a tempo pieno che solo hobby da portare avanti sporadicamente.</div></div></div><h3 id=sdlc class=headerLink><a href=#sdlc class=header-mark></a>4.5 SDLC</h3><p>Una buona porzione della valutazione dovrebbe concentrarsi sul ciclo si sviluppo del software per assicurarsi che i gate (di sicurezza e qualità più in generale) siano implementati correttamente, le pull request abbiano bisogno di approvazione e ci siano delle pratiche sane che non permettano ad un singolo contributor di inviare codice malevolo senza approvazione.</p><p>Inoltre è necessario tenere in cosiderazione che siamo umani e commettiamo errori. Passare una code review non significa automaticamente che il codice sia sicuro, come ho detto prima: non esiste una vera soluzione al problema, solo modi per abbassare la probabilità che le cose brutte accadano.</p><h3 id=enterprise-vs-individual class=headerLink><a href=#enterprise-vs-individual class=header-mark></a>4.6 Enterprise vs Individual</h3><p>Questo è un argomento abbastanza controverso perchè ci sono progetti mantenuti da persone individuali che sono ben strutturati.
-Di solito però, utilizzando cdice prodotto da (grandi) aziende renderà più probabile l&rsquo;avere delle best practice di sviluppo, avere un continuo stream di fondi per mantenere il progetto in piedi e soprattuto difficilmente una grande azienda metterebbe una backdoor di proposito nel proprio codice. Di nuovo, questo aumenta solo le probabilità, non va preso come concetto assoluto ;)</p><h3 id=controlli-ricorsivi class=headerLink><a href=#controlli-ricorsivi class=header-mark></a>4.7 Controlli Ricorsivi</h3><p>Il progetto che stai includendo probabilmente avrà anch&rsquo;esso delle dipendenze, assicurati che i maintainers applichino a loro volta lo stesso scrutinio sulla loro supply chain per evitare compromissioni indirette.</p><h2 id=risorse class=headerLink><a href=#risorse class=header-mark></a>5 Risorse</h2><ul><li>OSS-Security List: <a href=https://www.openwall.com/lists/oss-security/2024/03/29/4 target=_blank rel="noopener noreferrer">https://www.openwall.com/lists/oss-security/2024/03/29/4</a></li><li>Comprehensive timeline: <a href=https://boehs.org/node/everything-i-know-about-the-xz-backdoor target=_blank rel="noopener noreferrer">https://boehs.org/node/everything-i-know-about-the-xz-backdoor</a></li><li>Compromise link roundup: <a href=https://shellsharks.com/xz-compromise-link-roundup target=_blank rel="noopener noreferrer">https://shellsharks.com/xz-compromise-link-roundup</a></li><li>Obfuscation Analysis: <a href="https://gynvael.coldwind.pl/?lang=en&amp;id=782" target=_blank rel="noopener noreferrer">https://gynvael.coldwind.pl/?lang=en&id=782</a></li><li>Backdoor Analysis: <a href=https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 target=_blank rel="noopener noreferrer">https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504</a></li></ul></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Aggiornato il 2024-03-31&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/e676706854abdf2916f7a58039db413263279657 target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) e676706854abdf2916f7a58039db413263279657: chore: fixed typo" rel="noopener noreferrer">
-<i class="fas fa-hashtag fa-fw"></i>e676706</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/it/posts/xz-backdoor/index.md target=_blank rel="noopener noreferrer">Leggi Markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/it/tags/backdoor/>Backdoor</a>,&nbsp;<a href=/it/tags/cve-2024-3094/>CVE-2024-3094</a>,&nbsp;<a href=/it/tags/xz/>Xz</a>,&nbsp;<a href=/it/tags/liblzma/>Liblzma</a>,&nbsp;<a href=/it/tags/supply-chain/>Supply-Chain</a>,&nbsp;<a href=/it/tags/security-engineering/>Security-Engineering</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Indietro</a></span>&nbsp;|&nbsp;<span><a href=/it/>Home</a></span></section></div><div class=post-nav><a href=/it/posts/security-theatre/ class=prev rel=prev title="Security Theatre? Direi quasi Security Circus"><i class="fas fa-angle-left fa-fw"></i>Security Theatre? Direi quasi Security Circus</a></div></div></article></div></main></div><div id=fixed-buttons><a href=#back-to-top id=back-to-top-button class=fixed-button title="Torna all'inizio"><i class="fas fa-arrow-up fa-fw"></i>
+Di solito però, utilizzando cdice prodotto da (grandi) aziende renderà più probabile l&rsquo;avere delle best practice di sviluppo, avere un continuo stream di fondi per mantenere il progetto in piedi e soprattuto difficilmente una grande azienda metterebbe una backdoor di proposito nel proprio codice. Di nuovo, questo aumenta solo le probabilità, non va preso come concetto assoluto ;)</p><h3 id=controlli-ricorsivi class=headerLink><a href=#controlli-ricorsivi class=header-mark></a>4.7 Controlli Ricorsivi</h3><p>Il progetto che stai includendo probabilmente avrà anch&rsquo;esso delle dipendenze, assicurati che i maintainers applichino a loro volta lo stesso scrutinio sulla loro supply chain per evitare compromissioni indirette.</p><h2 id=risorse class=headerLink><a href=#risorse class=header-mark></a>5 Risorse</h2><ul><li>OSS-Security List: <a href=https://www.openwall.com/lists/oss-security/2024/03/29/4 target=_blank rel="noopener noreferrer">https://www.openwall.com/lists/oss-security/2024/03/29/4</a></li><li>Comprehensive timeline: <a href=https://boehs.org/node/everything-i-know-about-the-xz-backdoor target=_blank rel="noopener noreferrer">https://boehs.org/node/everything-i-know-about-the-xz-backdoor</a></li><li>Compromise link roundup: <a href=https://shellsharks.com/xz-compromise-link-roundup target=_blank rel="noopener noreferrer">https://shellsharks.com/xz-compromise-link-roundup</a></li><li>Obfuscation Analysis: <a href="https://gynvael.coldwind.pl/?lang=en&amp;id=782" target=_blank rel="noopener noreferrer">https://gynvael.coldwind.pl/?lang=en&id=782</a></li><li>Backdoor Analysis: <a href=https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 target=_blank rel="noopener noreferrer">https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504</a></li></ul></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Aggiornato il 2024-03-31&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/00a5b087c956d52c39ac6d4de76ed02911552a02 target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) 00a5b087c956d52c39ac6d4de76ed02911552a02: post: added references" rel="noopener noreferrer">
+<i class="fas fa-hashtag fa-fw"></i>00a5b08</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/it/posts/xz-backdoor/index.md target=_blank rel="noopener noreferrer">Leggi Markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/it/tags/backdoor/>Backdoor</a>,&nbsp;<a href=/it/tags/cve-2024-3094/>CVE-2024-3094</a>,&nbsp;<a href=/it/tags/xz/>Xz</a>,&nbsp;<a href=/it/tags/liblzma/>Liblzma</a>,&nbsp;<a href=/it/tags/supply-chain/>Supply-Chain</a>,&nbsp;<a href=/it/tags/security-engineering/>Security-Engineering</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Indietro</a></span>&nbsp;|&nbsp;<span><a href=/it/>Home</a></span></section></div><div class=post-nav><a href=/it/posts/security-theatre/ class=prev rel=prev title="Security Theatre? Direi quasi Security Circus"><i class="fas fa-angle-left fa-fw"></i>Security Theatre? Direi quasi Security Circus</a></div></div></article></div></main></div><div id=fixed-buttons><a href=#back-to-top id=back-to-top-button class=fixed-button title="Torna all'inizio"><i class="fas fa-arrow-up fa-fw"></i>
 </a><a href=# id=view-comments class=fixed-button title="Vedi commenti"><i class="fas fa-comment fa-fw"></i></a></div><div class=assets><script type=text/javascript>window.config={code:{copyTitle:"Copia negli appunti",maxShownLines:10},comment:{},search:{distance:100,findAllMatches:!0,fuseIndexURL:"/it/index.json",highlightTag:"em",ignoreFieldNorm:!1,ignoreLocation:!0,isCaseSensitive:!1,location:0,maxResultLength:10,minMatchCharLength:2,noResultsFound:"Nessun risultato trovato",snippetLength:300,threshold:.1,type:"fuse",useExtendedSearch:!1},table:{sort:!0}}</script><script type=text/javascript src=/lib/tablesort/tablesort.min.23640461c9e6941882f50f4208436e1932c806bcc32323a34ff378781204951e05534a0bbc3c1e401d111aa22a26ecc5d4f2cfb43af59d94da8a24f2b8ef8506.js integrity="sha512-I2QEYcnmlBiC9Q9CCENuGTLIBrzDIyOjT/N4eBIElR4FU0oLvDweQB0RGqIqJuzF1PLPtDr1nZTaiiTyuO+FBg=="></script><script type=text/javascript src=/lib/clipboard/clipboard.min.b08a94127467df50609e03e61edd897a7ce57830ec5f060efa2caf438e8cc3a44bfae7405198f69ffbbf3c663cd0dc51c729ceed1f71206c792c4cf0e0835625.js integrity="sha512-sIqUEnRn31BgngPmHt2JenzleDDsXwYO+iyvQ46Mw6RL+udAUZj2n/u/PGY80NxRxynO7R9xIGx5LEzw4INWJQ=="></script><script type=text/javascript src=/js/theme.min.js defer></script></div></body></html>
\ No newline at end of file
diff --git a/it/posts/xz-backdoor/index.md b/it/posts/xz-backdoor/index.md
index 6ae95b7..4fe2af7 100644
--- a/it/posts/xz-backdoor/index.md
+++ b/it/posts/xz-backdoor/index.md
@@ -45,12 +45,12 @@ Controlla la sezione Risorse per i link ad una timeline più dettagliata
 L'estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di `xz`:
 
 Distribuzioni:
-- Arch
+- [Arch](https://archlinux.org/news/the-xz-package-has-been-backdoored/)
 - [Debian Sid](https://security-tracker.debian.org/tracker/CVE-2024-3094)
-- Gentoo
+- [Gentoo](https://bugs.gentoo.org/928134)
 - [Fedora 40](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
 - Manjaro Testing
-- Parabola
+- [Parabola](https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/)
 - NixOS Unstable
 - Slackware
 - [SUSE Tumbleweed](https://news.opensuse.org/2024/03/29/xz-backdoor/)
diff --git a/it/sitemap.xml b/it/sitemap.xml
index fd42900..4f6a09e 100644
--- a/it/sitemap.xml
+++ b/it/sitemap.xml
@@ -1 +1 @@
-<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"><url><loc>https://appsec.space/it/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/"/></url><url><loc>https://appsec.space/it/tags/backdoor/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/backdoor/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/backdoor/"/></url><url><loc>https://appsec.space/it/tags/cve-2024-3094/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/cve-2024-3094/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/cve-2024-3094/"/></url><url><loc>https://appsec.space/it/posts/xz-backdoor/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/xz-backdoor/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/xz-backdoor/"/></url><url><loc>https://appsec.space/it/tags/liblzma/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/liblzma/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/liblzma/"/></url><url><loc>https://appsec.space/it/posts/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/"/></url><url><loc>https://appsec.space/it/tags/security-engineering/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-engineering/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-engineering/"/></url><url><loc>https://appsec.space/it/tags/supply-chain/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/supply-chain/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/supply-chain/"/></url><url><loc>https://appsec.space/it/tags/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/"/></url><url><loc>https://appsec.space/it/tags/xz/</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/xz/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/xz/"/></url><url><loc>https://appsec.space/it/categories/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/"/></url><url><loc>https://appsec.space/it/categories/general-knowledge/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/general-knowledge/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/general-knowledge/"/></url><url><loc>https://appsec.space/it/tags/infosec/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/infosec/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/infosec/"/></url><url><loc>https://appsec.space/it/tags/rants/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/rants/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/rants/"/></url><url><loc>https://appsec.space/it/tags/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-theatre/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-theatre/"/></url><url><loc>https://appsec.space/it/posts/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/security-theatre/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/security-theatre/"/></url><url><loc>https://appsec.space/it/posts/long-time-no-see/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/long-time-no-see/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/long-time-no-see/"/></url><url><loc>https://appsec.space/it/tags/updates/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/updates/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/updates/"/></url><url><loc>https://appsec.space/it/about/</loc><lastmod>2023-03-21T22:11:59+01:00</lastmod><changefreq>weekly</changefreq><priority>0.5</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/about/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/about/"/></url></urlset>
\ No newline at end of file
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml"><url><loc>https://appsec.space/it/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/"/></url><url><loc>https://appsec.space/it/tags/backdoor/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/backdoor/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/backdoor/"/></url><url><loc>https://appsec.space/it/tags/cve-2024-3094/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/cve-2024-3094/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/cve-2024-3094/"/></url><url><loc>https://appsec.space/it/posts/xz-backdoor/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/xz-backdoor/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/xz-backdoor/"/></url><url><loc>https://appsec.space/it/tags/liblzma/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/liblzma/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/liblzma/"/></url><url><loc>https://appsec.space/it/posts/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/"/></url><url><loc>https://appsec.space/it/tags/security-engineering/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-engineering/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-engineering/"/></url><url><loc>https://appsec.space/it/tags/supply-chain/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/supply-chain/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/supply-chain/"/></url><url><loc>https://appsec.space/it/tags/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/"/></url><url><loc>https://appsec.space/it/tags/xz/</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/xz/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/xz/"/></url><url><loc>https://appsec.space/it/categories/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/"/></url><url><loc>https://appsec.space/it/categories/general-knowledge/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/categories/general-knowledge/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/categories/general-knowledge/"/></url><url><loc>https://appsec.space/it/tags/infosec/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/infosec/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/infosec/"/></url><url><loc>https://appsec.space/it/tags/rants/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/rants/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/rants/"/></url><url><loc>https://appsec.space/it/tags/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/security-theatre/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/security-theatre/"/></url><url><loc>https://appsec.space/it/posts/security-theatre/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/security-theatre/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/security-theatre/"/></url><url><loc>https://appsec.space/it/posts/long-time-no-see/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/posts/long-time-no-see/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/posts/long-time-no-see/"/></url><url><loc>https://appsec.space/it/tags/updates/</loc><lastmod>2024-03-30T22:00:02+01:00</lastmod><changefreq>weekly</changefreq><priority>1</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/tags/updates/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/tags/updates/"/></url><url><loc>https://appsec.space/it/about/</loc><lastmod>2023-03-21T22:11:59+01:00</lastmod><changefreq>weekly</changefreq><priority>0.5</priority><xhtml:link rel="alternate" hreflang="en" href="https://appsec.space/about/"/><xhtml:link rel="alternate" hreflang="it" href="https://appsec.space/it/about/"/></url></urlset>
\ No newline at end of file
diff --git a/it/tags/backdoor/index.xml b/it/tags/backdoor/index.xml
index 3794724..64c9dcb 100644
--- a/it/tags/backdoor/index.xml
+++ b/it/tags/backdoor/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/tags/cve-2024-3094/index.xml b/it/tags/cve-2024-3094/index.xml
index 42132e5..76f9ffe 100644
--- a/it/tags/cve-2024-3094/index.xml
+++ b/it/tags/cve-2024-3094/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/tags/liblzma/index.xml b/it/tags/liblzma/index.xml
index f66e882..a5b8cda 100644
--- a/it/tags/liblzma/index.xml
+++ b/it/tags/liblzma/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/tags/security-engineering/index.xml b/it/tags/security-engineering/index.xml
index c931bae..299f46f 100644
--- a/it/tags/security-engineering/index.xml
+++ b/it/tags/security-engineering/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/tags/supply-chain/index.xml b/it/tags/supply-chain/index.xml
index f48fe4c..faa3be1 100644
--- a/it/tags/supply-chain/index.xml
+++ b/it/tags/supply-chain/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/it/tags/xz/index.xml b/it/tags/xz/index.xml
index 8523ca2..c8690e3 100644
--- a/it/tags/xz/index.xml
+++ b/it/tags/xz/index.xml
@@ -61,12 +61,12 @@ Stava ottimizzando la sua infrastruttura e si è accorto che ssh era &ldquo;sosp
     <a href="#componenti-impattate" class="header-mark"></a>2 Componenti impattate</h2><p>L&rsquo;estensione di questo breach è ancora poco chiaro di seguito è riportata una (parziale) lista dei componenti che contiengono la versione malevola di <code>xz</code>:</p>
 <p>Distribuzioni:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/posts/index.xml b/posts/index.xml
index 75c7f1e..ffa0b42 100644
--- a/posts/index.xml
+++ b/posts/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/posts/xz-backdoor/index.html b/posts/xz-backdoor/index.html
index d63c947..c8b6aaa 100644
--- a/posts/xz-backdoor/index.html
+++ b/posts/xz-backdoor/index.html
@@ -1,7 +1,7 @@
 <!doctype html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=robots content="noodp"><title>The xz backdoor from a Security Engineer persepective - appsec & stuff</title><meta name=Description content><meta property="og:title" content="The xz backdoor from a Security Engineer persepective">
 <meta property="og:description" content="As you probably already heard, the xz package got compromised.
-The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094."><meta property="og:type" content="article"><meta property="og:url" content="https://appsec.space/posts/xz-backdoor/"><meta property="og:image" content="https://appsec.space/images/logo.png"><meta property="article:section" content="posts"><meta property="article:published_time" content="2024-03-30T19:49:24+01:00"><meta property="article:modified_time" content="2024-03-31T11:20:16+02:00"><meta property="og:site_name" content="appsec.space"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="https://appsec.space/images/logo.png"><meta name=twitter:title content="The xz backdoor from a Security Engineer persepective"><meta name=twitter:description content="As you probably already heard, the xz package got compromised.
-The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094."><meta name=application-name content="appsec & stuff"><meta name=apple-mobile-web-app-title content="appsec & stuff"><meta name=theme-color content="#f8f8f8"><link rel="shortcut icon" type=image/x-icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=canonical href=https://appsec.space/posts/xz-backdoor/><link rel=prev href=https://appsec.space/posts/security-theatre/><link rel=stylesheet href=/css/main.b86bec8a7c1321e2b5e187a36d45cf663cb7b452290988619ab647973ec932afb7b7a921ce9c74fe7748384c262951a8db5334e017a020de16436470a45f21e1.css integrity="sha512-uGvsinwTIeK14YejbUXPZjy3tFIpCYhhmrZHlz7JMq+3t6khzpx0/ndIOEwmKVGo21M04BegIN4WQ2RwpF8h4Q=="><link rel=stylesheet href=/lib/normalize/normalize.min.8235a67a2521ef99fb1e455a5891b022af1653b4ede3cfffcac4e473beee88fbcc1a36bbb3cfdd75fd6df46732032f9d96e30adae9c88b769e1fbf7945cd27e0.css integrity="sha512-gjWmeiUh75n7HkVaWJGwIq8WU7Tt48//ysTkc77uiPvMGja7s8/ddf1t9GcyAy+dluMK2unIi3aeH795Rc0n4A=="><link rel=stylesheet href=/css/color.346090a8e4618da38ff45853421bbd1d5ffa3c25e678a3f0131c9f7d5300e15669f91c74f1ed5fab76e7424a2a6a5619a9dc45f99e04f246e37d8af51295b6ae.css integrity="sha512-NGCQqORhjaOP9FhTQhu9HV/6PCXmeKPwExyffVMA4VZp+Rx08e1fq3bnQkoqalYZqdxF+Z4E8kbjfYr1EpW2rg=="><link rel=stylesheet href=/css/style.min.576f64e626e323b8a4701fb2c2d135ec573b32168ff045421aa6092cf2fd42b2664350a8d27e76f5d1843ca3f40e7eb247bf05283550cfc42275cfa9a68fbfa7.css integrity="sha512-V29k5ibjI7ikcB+ywtE17Fc7MhaP8EVCGqYJLPL9QrJmQ1Co0n529dGEPKP0Dn6yR78FKDVQz8Qidc+ppo+/pw=="><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="><noscript><link rel=stylesheet href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="></noscript><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="><noscript><link rel=stylesheet href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="></noscript><script type=application/ld+json>{"@context":"http://schema.org","@type":"BlogPosting","headline":"The xz backdoor from a Security Engineer persepective","inLanguage":"en","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/appsec.space\/posts\/xz-backdoor\/"},"genre":"posts","keywords":"backdoor, CVE-2024-3094, xz, liblzma, supply-chain, security-engineering","wordcount":1385,"url":"https:\/\/appsec.space\/posts\/xz-backdoor\/","datePublished":"2024-03-30T19:49:24+01:00","dateModified":"2024-03-31T11:20:16+02:00","publisher":{"@type":"Organization","name":"himazawa"},"author":{"@type":"Person","name":"himazawa"},"description":""}</script><script src=//instant.page/5.2.0 defer type=module integrity=sha384-jnZyxPjiipYXnSU0ygqeac2q7CVYMbh84q0uHVRRxEtvFPiQYbXWUorga2aqZJ0z></script></head><body header-desktop=fixed header-mobile=auto><script type=text/javascript>function setTheme(e){document.body.setAttribute("theme",e),document.documentElement.style.setProperty("color-scheme",e==="light"?"light":"dark"),window.theme=e,window.isDark=window.theme!=="light"}function saveTheme(e){window.localStorage&&localStorage.setItem("theme",e)}function getMeta(e){const t=document.getElementsByTagName("meta");for(let n=0;n<t.length;n++)if(t[n].getAttribute("name")===e)return t[n];return""}if(window.localStorage&&localStorage.getItem("theme")){let e=localStorage.getItem("theme");e==="light"||e==="dark"||e==="black"?setTheme(e):setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light")}else"auto"==="light"||"auto"==="dark"||"auto"==="black"?(setTheme("auto"),saveTheme("auto")):(saveTheme("auto"),setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light"));let metaColors={light:"#f8f8f8",dark:"#252627",black:"#000000"};getMeta("theme-color").content=metaColors[document.body.getAttribute("theme")],window.switchThemeEventSet=new Set</script><div id=back-to-top></div><div id=mask></div><div class=wrapper><header class=desktop id=header-desktop><div class=header-wrapper><div class=header-title><a href=/ title="appsec & stuff"><img class=logo loading=lazy src=/images/circle_cropped_logo.png srcset="/images/circle_cropped_logo.png, /images/circle_cropped_logo.png 1.5x, /images/circle_cropped_logo.png 2x" sizes=auto alt=/images/circle_cropped_logo.png title=/images/circle_cropped_logo.png></a></div><div class=menu><div class=menu-inner><a class=menu-item href=/posts/>Posts </a><a class=menu-item href=/categories/>Categories </a><a class=menu-item href=/about/>About me </a><span class="menu-item delimiter"></span><a href=javascript:void(0); class="menu-item language" title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
+The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094."><meta property="og:type" content="article"><meta property="og:url" content="https://appsec.space/posts/xz-backdoor/"><meta property="og:image" content="https://appsec.space/images/logo.png"><meta property="article:section" content="posts"><meta property="article:published_time" content="2024-03-30T19:49:24+01:00"><meta property="article:modified_time" content="2024-03-31T11:33:45+02:00"><meta property="og:site_name" content="appsec.space"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="https://appsec.space/images/logo.png"><meta name=twitter:title content="The xz backdoor from a Security Engineer persepective"><meta name=twitter:description content="As you probably already heard, the xz package got compromised.
+The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094."><meta name=application-name content="appsec & stuff"><meta name=apple-mobile-web-app-title content="appsec & stuff"><meta name=theme-color content="#f8f8f8"><link rel="shortcut icon" type=image/x-icon href=/favicon.ico><link rel=icon type=image/png sizes=32x32 href=/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=/favicon-16x16.png><link rel=apple-touch-icon sizes=180x180 href=/apple-touch-icon.png><link rel=canonical href=https://appsec.space/posts/xz-backdoor/><link rel=prev href=https://appsec.space/posts/security-theatre/><link rel=stylesheet href=/css/main.b86bec8a7c1321e2b5e187a36d45cf663cb7b452290988619ab647973ec932afb7b7a921ce9c74fe7748384c262951a8db5334e017a020de16436470a45f21e1.css integrity="sha512-uGvsinwTIeK14YejbUXPZjy3tFIpCYhhmrZHlz7JMq+3t6khzpx0/ndIOEwmKVGo21M04BegIN4WQ2RwpF8h4Q=="><link rel=stylesheet href=/lib/normalize/normalize.min.8235a67a2521ef99fb1e455a5891b022af1653b4ede3cfffcac4e473beee88fbcc1a36bbb3cfdd75fd6df46732032f9d96e30adae9c88b769e1fbf7945cd27e0.css integrity="sha512-gjWmeiUh75n7HkVaWJGwIq8WU7Tt48//ysTkc77uiPvMGja7s8/ddf1t9GcyAy+dluMK2unIi3aeH795Rc0n4A=="><link rel=stylesheet href=/css/color.346090a8e4618da38ff45853421bbd1d5ffa3c25e678a3f0131c9f7d5300e15669f91c74f1ed5fab76e7424a2a6a5619a9dc45f99e04f246e37d8af51295b6ae.css integrity="sha512-NGCQqORhjaOP9FhTQhu9HV/6PCXmeKPwExyffVMA4VZp+Rx08e1fq3bnQkoqalYZqdxF+Z4E8kbjfYr1EpW2rg=="><link rel=stylesheet href=/css/style.min.576f64e626e323b8a4701fb2c2d135ec573b32168ff045421aa6092cf2fd42b2664350a8d27e76f5d1843ca3f40e7eb247bf05283550cfc42275cfa9a68fbfa7.css integrity="sha512-V29k5ibjI7ikcB+ywtE17Fc7MhaP8EVCGqYJLPL9QrJmQ1Co0n529dGEPKP0Dn6yR78FKDVQz8Qidc+ppo+/pw=="><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="><noscript><link rel=stylesheet href=/lib/fontawesome-free/all.min.eb8387c9eb0ab6d4fa4d7ad397d15df13b92c009a1eb221b757dd1ecfccabc78a4c5b681847a7f4198ff7cd60abed8300508c9dea138cd1f4a85f09f09b2092a.css integrity="sha512-64OHyesKttT6TXrTl9Fd8TuSwAmh6yIbdX3R7PzKvHikxbaBhHp/QZj/fNYKvtgwBQjJ3qE4zR9KhfCfCbIJKg=="></noscript><link rel=preload as=style onload='this.onload=null,this.rel="stylesheet"' href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="><noscript><link rel=stylesheet href=/lib/animate/animate.min.738daa4d2c3fc0f677ff92c1cc3f81c397fb6d2176a31a2eeb011bf88fe5a9e68a57914321f32fbd1a7bef6cb88dc24b2ae1943a96c931d83f053979d1f25803.css integrity="sha512-c42qTSw/wPZ3/5LBzD+Bw5f7bSF2oxou6wEb+I/lqeaKV5FDIfMvvRp772y4jcJLKuGUOpbJMdg/BTl50fJYAw=="></noscript><script type=application/ld+json>{"@context":"http://schema.org","@type":"BlogPosting","headline":"The xz backdoor from a Security Engineer persepective","inLanguage":"en","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/appsec.space\/posts\/xz-backdoor\/"},"genre":"posts","keywords":"backdoor, CVE-2024-3094, xz, liblzma, supply-chain, security-engineering","wordcount":1385,"url":"https:\/\/appsec.space\/posts\/xz-backdoor\/","datePublished":"2024-03-30T19:49:24+01:00","dateModified":"2024-03-31T11:33:45+02:00","publisher":{"@type":"Organization","name":"himazawa"},"author":{"@type":"Person","name":"himazawa"},"description":""}</script><script src=//instant.page/5.2.0 defer type=module integrity=sha384-jnZyxPjiipYXnSU0ygqeac2q7CVYMbh84q0uHVRRxEtvFPiQYbXWUorga2aqZJ0z></script></head><body header-desktop=fixed header-mobile=auto><script type=text/javascript>function setTheme(e){document.body.setAttribute("theme",e),document.documentElement.style.setProperty("color-scheme",e==="light"?"light":"dark"),window.theme=e,window.isDark=window.theme!=="light"}function saveTheme(e){window.localStorage&&localStorage.setItem("theme",e)}function getMeta(e){const t=document.getElementsByTagName("meta");for(let n=0;n<t.length;n++)if(t[n].getAttribute("name")===e)return t[n];return""}if(window.localStorage&&localStorage.getItem("theme")){let e=localStorage.getItem("theme");e==="light"||e==="dark"||e==="black"?setTheme(e):setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light")}else"auto"==="light"||"auto"==="dark"||"auto"==="black"?(setTheme("auto"),saveTheme("auto")):(saveTheme("auto"),setTheme(window.matchMedia&&window.matchMedia("(prefers-color-scheme: dark)").matches?"dark":"light"));let metaColors={light:"#f8f8f8",dark:"#252627",black:"#000000"};getMeta("theme-color").content=metaColors[document.body.getAttribute("theme")],window.switchThemeEventSet=new Set</script><div id=back-to-top></div><div id=mask></div><div class=wrapper><header class=desktop id=header-desktop><div class=header-wrapper><div class=header-title><a href=/ title="appsec & stuff"><img class=logo loading=lazy src=/images/circle_cropped_logo.png srcset="/images/circle_cropped_logo.png, /images/circle_cropped_logo.png 1.5x, /images/circle_cropped_logo.png 2x" sizes=auto alt=/images/circle_cropped_logo.png title=/images/circle_cropped_logo.png></a></div><div class=menu><div class=menu-inner><a class=menu-item href=/posts/>Posts </a><a class=menu-item href=/categories/>Categories </a><a class=menu-item href=/about/>About me </a><span class="menu-item delimiter"></span><a href=javascript:void(0); class="menu-item language" title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
 <select class=language-select title="Select Language" id=language-select-desktop onchange="location=this.value"><option value=/posts/xz-backdoor/ selected>English</option><option value=/it/posts/xz-backdoor/>Italiano</option></select>
 </a><span class="menu-item search" id=search-desktop><input type=text placeholder="Search titles or contents..." id=search-input-desktop>
 <a href=javascript:void(0); class="search-button search-toggle" id=search-toggle-desktop title=Search><i class="fas fa-search fa-fw"></i>
@@ -17,8 +17,8 @@
 </a><a href=javascript:void(0); class=menu-item title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
 <select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/xz-backdoor/ selected>English</option><option value=/it/posts/xz-backdoor/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#impacted-components>Impacted components</a></li><li><a href=#considerations>Considerations</a><ul><li><a href=#the-github-behavior>The GitHub Behavior</a></li><li><a href=#the-downgrades>The downgrades</a></li></ul></li><li><a href=#how-to-prevent-this-issue>How to prevent this issue?</a><ul><li><a href=#trust-issues>Trust issues</a></li><li><a href=#github-stats>GitHub Stats</a></li><li><a href=#community-engagement>Community Engagement</a></li><li><a href=#funding-and-support>Funding and Support</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#recursive-controls>Recursive controls</a></li></ul></li><li><a href=#resources>Resources</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">The xz backdoor from a Security Engineer persepective</h1><h2 class=single-subtitle>Yet another supply chain attack</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-31>2024-03-31</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;1385 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;7 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/xz-backdoor/xz.png srcset="/posts/xz-backdoor/xz.png, /posts/xz-backdoor/xz.png 1.5x, /posts/xz-backdoor/xz.png 2x" sizes=auto alt=/posts/xz-backdoor/xz.png title=/posts/xz-backdoor/xz.png height=112 width=950></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#impacted-components>Impacted components</a></li><li><a href=#considerations>Considerations</a><ul><li><a href=#the-github-behavior>The GitHub Behavior</a></li><li><a href=#the-downgrades>The downgrades</a></li></ul></li><li><a href=#how-to-prevent-this-issue>How to prevent this issue?</a><ul><li><a href=#trust-issues>Trust issues</a></li><li><a href=#github-stats>GitHub Stats</a></li><li><a href=#community-engagement>Community Engagement</a></li><li><a href=#funding-and-support>Funding and Support</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#recursive-controls>Recursive controls</a></li></ul></li><li><a href=#resources>Resources</a></li></ul></nav></div></div><div class=content id=content><p>As you probably already heard, the <code>xz</code> package got compromised.</p><p>The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-3094 target=_blank rel="noopener noreferrer">CVE-2024-3094</a>.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>The situation is still ongoing, more details will emerge in the near future and I will update this post accordingly.</div></div></div><p>This is probably a full fledged operation due to it&rsquo;s methodology and duration but I&rsquo;m not the right guy to talk about OpSec and Threat Actors attributions.
-Check the Resources section for additional links.</p><p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p><p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p><h2 id=timeline class=headerLink><a href=#timeline class=header-mark></a>1 Timeline</h2><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Check the Resources section for a link to an article with a detailed timeline</div></div></div><ul><li><strong>2023</strong>:<ul><li>A new maintainer shows up in the <code>xz</code> project</li></ul></li><li><strong>29 Mar 2024</strong>:<ul><li><p>Andres Freund sent an email to the oss-security mailing list regarding a backdoor in <code>xz/liblzma</code>.
-He was optimizing his infrastructure and found that ssh was suspiciously slow. Some debug later he found the issue was likely caused by the backdoor. The initial analysis was performed with the help of Florian Weimer.</p></li><li><p>Impacted distros are starting to ship patches to downgrade the xz version (more on that later)</p></li></ul></li><li><strong>30 Mar 2024</strong>:<ul><li><p>GitHub blocked access to the repostiory and blocked the account of both the xz maintainers</p></li><li><p>An <a href=https://tukaani.org/xz-backdoor/ target=_blank rel="noopener noreferrer">official statement</a> was released by the project maintainer</p></li></ul></li></ul><h2 id=impacted-components class=headerLink><a href=#impacted-components class=header-mark></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p><p>Distributions:</p><ul><li>Arch</li><li><a href=https://security-tracker.debian.org/tracker/CVE-2024-3094 target=_blank rel="noopener noreferrer">Debian Sid</a></li><li>Gentoo</li><li><a href=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users target=_blank rel="noopener noreferrer">Fedora 40</a></li><li>Manjaro Testing</li><li>Parabola</li><li>NixOS Unstable</li><li>Slackware</li><li><a href=https://news.opensuse.org/2024/03/29/xz-backdoor/ target=_blank rel="noopener noreferrer">SUSE Tumbleweed</a></li><li><a href=https://infosec.exchange/@kalilinux/112180505434870941 target=_blank rel="noopener noreferrer">Kali Linux</a></li></ul><p>The backdoored package is also contained in the following package managers:</p><ul><li>Homebrew</li><li>MacPorts</li><li>pkgsrc</li></ul><p>At the moment we know that the there are checks in the backdoor to <a href rel>target Linux instances and only x86_64/amd64</a> builds so the affected target could be reduced but since the entire situation is unclear I would not reccommend to keep a compromised package on your system.</p><h2 id=considerations class=headerLink><a href=#considerations class=header-mark></a>3 Considerations</h2><h3 id=the-github-behavior class=headerLink><a href=#the-github-behavior class=header-mark></a>3.1 The GitHub Behavior</h3><p>The reasons behind the <code>xz</code> repositories lockdown are still a mistery to me, especially knowing that with the source code available additional anaysis on the backdoor could be performed.</p><p>Blocking access to the source code is something that will delay further results, that is honestly really bad for time-critical situation like this one.</p><h3 id=the-downgrades class=headerLink><a href=#the-downgrades class=header-mark></a>3.2 The downgrades</h3><p>The patch strategy for basically everyone was to force a downgrade from the <code>5.6.0</code>-<code>5.6.1</code> to another version.<br>Some (homebrew, for example), forced the downgrade to 5.4.6.</p><p>This looks interesting because for sure we know there is a backdoor on that (<code>5.6.0</code>-<code>5.6.1</code>) versions, but we also know that the attacker has been working on the repository for over two years.</p><p>The <code>5.4.6</code> version is also builded by the attacker and honestly wouldn&rsquo;t trust it much.
+Check the Resources section for additional links.</p><p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p><p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p><h2 id=timeline class=headerLink><a href=#timeline class=header-mark></a>1 Timeline</h2><div class="details admonition tip"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Check the Resources section for a link to an article with a detailed timeline</div></div></div><ul><li><strong>2023</strong>:<ul><li>A new maintainer shows up in the <code>xz</code> project</li></ul></li><li><strong>29 Mar 2024</strong>:<ul><li><p>Andres Freund sent an email to the oss-security mailing list regarding a backdoor in <code>xz/liblzma</code>.
+He was optimizing his infrastructure and found that ssh was suspiciously slow. Some debug later he found the issue was likely caused by the backdoor. The initial analysis was performed with the help of Florian Weimer.</p></li><li><p>Impacted distros are starting to ship patches to downgrade the xz version (more on that later)</p></li></ul></li><li><strong>30 Mar 2024</strong>:<ul><li><p>GitHub blocked access to the repostiory and blocked the account of both the xz maintainers</p></li><li><p>An <a href=https://tukaani.org/xz-backdoor/ target=_blank rel="noopener noreferrer">official statement</a> was released by the project maintainer</p></li></ul></li></ul><h2 id=impacted-components class=headerLink><a href=#impacted-components class=header-mark></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p><p>Distributions:</p><ul><li><a href=https://archlinux.org/news/the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Arch</a></li><li><a href=https://security-tracker.debian.org/tracker/CVE-2024-3094 target=_blank rel="noopener noreferrer">Debian Sid</a></li><li><a href=https://bugs.gentoo.org/928134 target=_blank rel="noopener noreferrer">Gentoo</a></li><li><a href=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users target=_blank rel="noopener noreferrer">Fedora 40</a></li><li>Manjaro Testing</li><li><a href=https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Parabola</a></li><li>NixOS Unstable</li><li>Slackware</li><li><a href=https://news.opensuse.org/2024/03/29/xz-backdoor/ target=_blank rel="noopener noreferrer">SUSE Tumbleweed</a></li><li><a href=https://infosec.exchange/@kalilinux/112180505434870941 target=_blank rel="noopener noreferrer">Kali Linux</a></li></ul><p>The backdoored package is also contained in the following package managers:</p><ul><li>Homebrew</li><li>MacPorts</li><li>pkgsrc</li></ul><p>At the moment we know that the there are checks in the backdoor to <a href rel>target Linux instances and only x86_64/amd64</a> builds so the affected target could be reduced but since the entire situation is unclear I would not reccommend to keep a compromised package on your system.</p><h2 id=considerations class=headerLink><a href=#considerations class=header-mark></a>3 Considerations</h2><h3 id=the-github-behavior class=headerLink><a href=#the-github-behavior class=header-mark></a>3.1 The GitHub Behavior</h3><p>The reasons behind the <code>xz</code> repositories lockdown are still a mistery to me, especially knowing that with the source code available additional anaysis on the backdoor could be performed.</p><p>Blocking access to the source code is something that will delay further results, that is honestly really bad for time-critical situation like this one.</p><h3 id=the-downgrades class=headerLink><a href=#the-downgrades class=header-mark></a>3.2 The downgrades</h3><p>The patch strategy for basically everyone was to force a downgrade from the <code>5.6.0</code>-<code>5.6.1</code> to another version.<br>Some (homebrew, for example), forced the downgrade to 5.4.6.</p><p>This looks interesting because for sure we know there is a backdoor on that (<code>5.6.0</code>-<code>5.6.1</code>) versions, but we also know that the attacker has been working on the repository for over two years.</p><p>The <code>5.4.6</code> version is also builded by the attacker and honestly wouldn&rsquo;t trust it much.
 Again, thanks GitHub for locking the access to the source code.</p><h2 id=how-to-prevent-this-issue class=headerLink><a href=#how-to-prevent-this-issue class=header-mark></a>4 How to prevent this issue?</h2><p>As I said at the beginning of the post, I don&rsquo;t want to go too deep into the technical analysis of the backdoor, for two main reasons: with the sourcecode locked and only <a href=https://github.com/xz-mirror/xz target=_blank rel="noopener noreferrer">an archive available</a> the informations are incomplete and I really don&rsquo;t want to reverse the <code>xz</code> binary.
 Also, and this is the more important reasons, people more knowledgeable than me on Threat Actors behaviors are already on it.
 I will just link their posts once are ready, so make sure to check the Resources section below.</p><p>One thing I can do here is showing the point of view of a Security Engineer on the issue, how I would mitigate the problem and what steps went wrong.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>TL;DR: there isn&rsquo;t an actual solution</div></div></div><h3 id=trust-issues class=headerLink><a href=#trust-issues class=header-mark></a>4.1 Trust issues</h3><p><figure><a class=lightgallery href=https://imgs.xkcd.com/comics/dependency_2x.png title=https://imgs.xkcd.com/comics/dependency_2x.png data-thumbnail=https://imgs.xkcd.com/comics/dependency_2x.png><img loading=lazy src=https://imgs.xkcd.com/comics/dependency_2x.png srcset="https://imgs.xkcd.com/comics/dependency_2x.png, https://imgs.xkcd.com/comics/dependency_2x.png 1.5x, https://imgs.xkcd.com/comics/dependency_2x.png 2x" sizes=auto alt=https://imgs.xkcd.com/comics/dependency_2x.png></a></figure></p><p><code>xz</code> is a software mainteined (up until 2023) by 1 single guy. Later another maintainer joined but unfortunately for us, it was the same guy pushing the backdoor to upstream.
@@ -26,6 +26,6 @@
 When talking about supply chain security the reccomendations are always the same: pin the hashes and use signature verification. This will work as long as you have scenarios like a malicious attacker compromising the dependency CICD and pushing a malicious build, account compromissions etc.</p><p>But what can you do if all of a sudden, trusted maintainers goes rogue?</p><p>As a standard user, unless you want (and are able to) code review every single commit from every single piece of software your OS interact with: pretty much nothing.</p><p>On the other hand, developers and repository owners should really increase controls on their supply chain and include strict metrics to exclude high risk packages.
 One of the biggest gimmicks of Open Source security is people beliving that since the source code is available the code magically became safe.</p><p>One critical factor often overlooked is the assumption that having access to the source code automatically translates into a larger pool of eyes scrutinizing it for vulnerabilities.</p><p>The effectiveness of this review process depends on the level of community engagement and the expertise of those inspecting the code, and usually is not much at all. Many projects receive minimal attention from developers, with only a handful of individuals actively contributing or reviewing code changes. As a result, vulnerabilities (intentional or not) may go unnoticed for extended periods, posing significant security risks to users.</p><p>Every time a discussion like that appears I always remember the <a href=https://blog.infosectcbr.com.au/2018/11/pitfalls-using-strcat.html target=_blank rel="noopener noreferrer">InfosectCBR&rsquo;s &ldquo;Month of Kali&rdquo;</a> where <a href=https://twitter.com/silviocesare target=_blank rel="noopener noreferrer">Silvio Cesare</a> spent a month popping vulnerabilities on Kali Linux software.</p><p>But which factors could contribute on minimizing the risks?</p><h3 id=github-stats class=headerLink><a href=#github-stats class=header-mark></a>4.2 GitHub Stats</h3><p>Just to be clear from the beginning: No, you can&rsquo;t trust this kind of metrics.</p><p>There is an hidden market of buying and selling GitHub stats like stars, forks etc.
 You can read a nice article here: <a href=https://dagster.io/blog/fake-stars target=_blank rel="noopener noreferrer">https://dagster.io/blog/fake-stars</a></p><h3 id=community-engagement class=headerLink><a href=#community-engagement class=header-mark></a>4.3 Community Engagement</h3><p>Evaluate the size and engagement of the community surrounding the project.</p><p>A large and active community can provide additional eyes for reviewing code, reporting bugs, and addressing security issues promptly. <code>xz/liblzma</code> had litterally 2 maintainers and one was the malicious actor.</p><h3 id=funding-and-support class=headerLink><a href=#funding-and-support class=header-mark></a>4.4 Funding and Support</h3><p>Consider whether the project receives financial support or sponsorship from reputable organizations. Projects with dedicated funding tend to have more resources available for security audits and ongoing maintenance.
-And also are less likely to be completely abandoned.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Remember: you want to rely on that dependency for the whole week, not only during the maintainer&rsquo;s freetime, projects with a nice financial support will likely be full-time jobs and not just hobbies.</div></div></div><h3 id=sdlc class=headerLink><a href=#sdlc class=header-mark></a>4.5 SDLC</h3><p>A good portion of the evaluation should also focus on the SDLC to e ensure security (and quality in general) gates are correcly implemented, approvals on PRs are mandatory and there are healthy practices in place to prevent one single contributor to push malicious code without approval.</p><p>Also take in considerations that we are humans, and we make errors. Passing a code review doesn&rsquo;t mean the code is safe, as I said before: there is no real solution, just ways to decrease the probablity for the bad stuff to happen.</p><h3 id=enterprise-vs-individual class=headerLink><a href=#enterprise-vs-individual class=header-mark></a>4.6 Enterprise vs Individual</h3><p>This is a controversial topic because there are projects that are maintained by individuals that are well structured but usually relying on (large) enterprise projects will ensure their SDLC best practices are followed, money are keeping the project alive, and a big company is less likely to go all in and backdoor their project on purpose. Again, this just increases the probablity, don&rsquo;t take it for granted ;)</p><h3 id=recursive-controls class=headerLink><a href=#recursive-controls class=header-mark></a>4.7 Recursive controls</h3><p>The project you are including will probably also have dependencies, make sure the same scrutiny is applied by the project maintainers on their supply chain to avoid indirect compromission.</p><h2 id=resources class=headerLink><a href=#resources class=header-mark></a>5 Resources</h2><ul><li>OSS-Security List: <a href=https://www.openwall.com/lists/oss-security/2024/03/29/4 target=_blank rel="noopener noreferrer">https://www.openwall.com/lists/oss-security/2024/03/29/4</a></li><li>Comprehensive timeline: <a href=https://boehs.org/node/everything-i-know-about-the-xz-backdoor target=_blank rel="noopener noreferrer">https://boehs.org/node/everything-i-know-about-the-xz-backdoor</a></li><li>Compromise link roundup: <a href=https://shellsharks.com/xz-compromise-link-roundup target=_blank rel="noopener noreferrer">https://shellsharks.com/xz-compromise-link-roundup</a></li><li>Obfuscation Analysis: <a href="https://gynvael.coldwind.pl/?lang=en&amp;id=782" target=_blank rel="noopener noreferrer">https://gynvael.coldwind.pl/?lang=en&id=782</a></li><li>Backdoor Analysis: <a href=https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 target=_blank rel="noopener noreferrer">https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504</a></li></ul></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Updated on 2024-03-31&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/91211a95fcf27db8f37732df582aed6d35ca691e target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) 91211a95fcf27db8f37732df582aed6d35ca691e: chore: fixed typo" rel="noopener noreferrer">
-<i class="fas fa-hashtag fa-fw"></i>91211a9</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/posts/xz-backdoor/index.md target=_blank rel="noopener noreferrer">Read markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/tags/backdoor/>Backdoor</a>,&nbsp;<a href=/tags/cve-2024-3094/>CVE-2024-3094</a>,&nbsp;<a href=/tags/xz/>Xz</a>,&nbsp;<a href=/tags/liblzma/>Liblzma</a>,&nbsp;<a href=/tags/supply-chain/>Supply-Chain</a>,&nbsp;<a href=/tags/security-engineering/>Security-Engineering</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Back</a></span>&nbsp;|&nbsp;<span><a href=/>Home</a></span></section></div><div class=post-nav><a href=/posts/security-theatre/ class=prev rel=prev title="Security Theatre? More like Security Circus"><i class="fas fa-angle-left fa-fw"></i>Security Theatre? More like Security Circus</a></div></div></article></div></main></div><div id=fixed-buttons><a href=#back-to-top id=back-to-top-button class=fixed-button title="Back to Top"><i class="fas fa-arrow-up fa-fw"></i>
+And also are less likely to be completely abandoned.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Remember: you want to rely on that dependency for the whole week, not only during the maintainer&rsquo;s freetime, projects with a nice financial support will likely be full-time jobs and not just hobbies.</div></div></div><h3 id=sdlc class=headerLink><a href=#sdlc class=header-mark></a>4.5 SDLC</h3><p>A good portion of the evaluation should also focus on the SDLC to e ensure security (and quality in general) gates are correcly implemented, approvals on PRs are mandatory and there are healthy practices in place to prevent one single contributor to push malicious code without approval.</p><p>Also take in considerations that we are humans, and we make errors. Passing a code review doesn&rsquo;t mean the code is safe, as I said before: there is no real solution, just ways to decrease the probablity for the bad stuff to happen.</p><h3 id=enterprise-vs-individual class=headerLink><a href=#enterprise-vs-individual class=header-mark></a>4.6 Enterprise vs Individual</h3><p>This is a controversial topic because there are projects that are maintained by individuals that are well structured but usually relying on (large) enterprise projects will ensure their SDLC best practices are followed, money are keeping the project alive, and a big company is less likely to go all in and backdoor their project on purpose. Again, this just increases the probablity, don&rsquo;t take it for granted ;)</p><h3 id=recursive-controls class=headerLink><a href=#recursive-controls class=header-mark></a>4.7 Recursive controls</h3><p>The project you are including will probably also have dependencies, make sure the same scrutiny is applied by the project maintainers on their supply chain to avoid indirect compromission.</p><h2 id=resources class=headerLink><a href=#resources class=header-mark></a>5 Resources</h2><ul><li>OSS-Security List: <a href=https://www.openwall.com/lists/oss-security/2024/03/29/4 target=_blank rel="noopener noreferrer">https://www.openwall.com/lists/oss-security/2024/03/29/4</a></li><li>Comprehensive timeline: <a href=https://boehs.org/node/everything-i-know-about-the-xz-backdoor target=_blank rel="noopener noreferrer">https://boehs.org/node/everything-i-know-about-the-xz-backdoor</a></li><li>Compromise link roundup: <a href=https://shellsharks.com/xz-compromise-link-roundup target=_blank rel="noopener noreferrer">https://shellsharks.com/xz-compromise-link-roundup</a></li><li>Obfuscation Analysis: <a href="https://gynvael.coldwind.pl/?lang=en&amp;id=782" target=_blank rel="noopener noreferrer">https://gynvael.coldwind.pl/?lang=en&id=782</a></li><li>Backdoor Analysis: <a href=https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504 target=_blank rel="noopener noreferrer">https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504</a></li></ul></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Updated on 2024-03-31&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/00a5b087c956d52c39ac6d4de76ed02911552a02 target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) 00a5b087c956d52c39ac6d4de76ed02911552a02: post: added references" rel="noopener noreferrer">
+<i class="fas fa-hashtag fa-fw"></i>00a5b08</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/posts/xz-backdoor/index.md target=_blank rel="noopener noreferrer">Read markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/tags/backdoor/>Backdoor</a>,&nbsp;<a href=/tags/cve-2024-3094/>CVE-2024-3094</a>,&nbsp;<a href=/tags/xz/>Xz</a>,&nbsp;<a href=/tags/liblzma/>Liblzma</a>,&nbsp;<a href=/tags/supply-chain/>Supply-Chain</a>,&nbsp;<a href=/tags/security-engineering/>Security-Engineering</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Back</a></span>&nbsp;|&nbsp;<span><a href=/>Home</a></span></section></div><div class=post-nav><a href=/posts/security-theatre/ class=prev rel=prev title="Security Theatre? More like Security Circus"><i class="fas fa-angle-left fa-fw"></i>Security Theatre? More like Security Circus</a></div></div></article></div></main></div><div id=fixed-buttons><a href=#back-to-top id=back-to-top-button class=fixed-button title="Back to Top"><i class="fas fa-arrow-up fa-fw"></i>
 </a><a href=# id=view-comments class=fixed-button title="View Comments"><i class="fas fa-comment fa-fw"></i></a></div><div class=assets><script type=text/javascript>window.config={code:{copyTitle:"Copy to clipboard",maxShownLines:10},comment:{},search:{distance:100,findAllMatches:!0,fuseIndexURL:"/index.json",highlightTag:"em",ignoreFieldNorm:!1,ignoreLocation:!0,isCaseSensitive:!1,location:0,maxResultLength:10,minMatchCharLength:2,noResultsFound:"No results found",snippetLength:300,threshold:.1,type:"fuse",useExtendedSearch:!1},table:{sort:!0}}</script><script type=text/javascript src=/lib/tablesort/tablesort.min.23640461c9e6941882f50f4208436e1932c806bcc32323a34ff378781204951e05534a0bbc3c1e401d111aa22a26ecc5d4f2cfb43af59d94da8a24f2b8ef8506.js integrity="sha512-I2QEYcnmlBiC9Q9CCENuGTLIBrzDIyOjT/N4eBIElR4FU0oLvDweQB0RGqIqJuzF1PLPtDr1nZTaiiTyuO+FBg=="></script><script type=text/javascript src=/lib/clipboard/clipboard.min.b08a94127467df50609e03e61edd897a7ce57830ec5f060efa2caf438e8cc3a44bfae7405198f69ffbbf3c663cd0dc51c729ceed1f71206c792c4cf0e0835625.js integrity="sha512-sIqUEnRn31BgngPmHt2JenzleDDsXwYO+iyvQ46Mw6RL+udAUZj2n/u/PGY80NxRxynO7R9xIGx5LEzw4INWJQ=="></script><script type=text/javascript src=/js/theme.min.js defer></script></div></body></html>
\ No newline at end of file
diff --git a/posts/xz-backdoor/index.md b/posts/xz-backdoor/index.md
index 3e9e09b..14677c6 100644
--- a/posts/xz-backdoor/index.md
+++ b/posts/xz-backdoor/index.md
@@ -18,7 +18,7 @@ The situation doesn't look too good so I'm trying to write this blogpost as a su
 I don't want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.
 
 ## Timeline
-{{< admonition type=tip title="Note" open=true >}}
+{{< admonition type=tip title="Note" open=false >}}
 Check the Resources section for a link to an article with a detailed timeline
 {{< /admonition >}}
 
@@ -41,12 +41,12 @@ Check the Resources section for a link to an article with a detailed timeline
 The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of `xz`:
 
 Distributions:
-- Arch
+- [Arch](https://archlinux.org/news/the-xz-package-has-been-backdoored/)
 - [Debian Sid](https://security-tracker.debian.org/tracker/CVE-2024-3094)
-- Gentoo
+- [Gentoo](https://bugs.gentoo.org/928134)
 - [Fedora 40](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)
 - Manjaro Testing
-- Parabola
+- [Parabola](https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/)
 - NixOS Unstable
 - Slackware
 - [SUSE Tumbleweed](https://news.opensuse.org/2024/03/29/xz-backdoor/)
diff --git a/sitemap.xml b/sitemap.xml
index 8b4c846..5719742 100644
--- a/sitemap.xml
+++ b/sitemap.xml
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?><sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><sitemap><loc>https://appsec.space/en/sitemap.xml</loc><lastmod>2024-03-31T11:20:16+02:00</lastmod></sitemap><sitemap><loc>https://appsec.space/it/sitemap.xml</loc><lastmod>2024-03-31T11:21:25+02:00</lastmod></sitemap></sitemapindex>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8" standalone="yes"?><sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><sitemap><loc>https://appsec.space/en/sitemap.xml</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod></sitemap><sitemap><loc>https://appsec.space/it/sitemap.xml</loc><lastmod>2024-03-31T11:33:45+02:00</lastmod></sitemap></sitemapindex>
\ No newline at end of file
diff --git a/tags/backdoor/index.xml b/tags/backdoor/index.xml
index 69f1602..a84f155 100644
--- a/tags/backdoor/index.xml
+++ b/tags/backdoor/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/tags/cve-2024-3094/index.xml b/tags/cve-2024-3094/index.xml
index 07ab0b5..fdaaf1b 100644
--- a/tags/cve-2024-3094/index.xml
+++ b/tags/cve-2024-3094/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/tags/liblzma/index.xml b/tags/liblzma/index.xml
index 1505950..436f834 100644
--- a/tags/liblzma/index.xml
+++ b/tags/liblzma/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/tags/security-engineering/index.xml b/tags/security-engineering/index.xml
index 6766669..f46b197 100644
--- a/tags/security-engineering/index.xml
+++ b/tags/security-engineering/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/tags/supply-chain/index.xml b/tags/supply-chain/index.xml
index a689051..f5895aa 100644
--- a/tags/supply-chain/index.xml
+++ b/tags/supply-chain/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>
diff --git a/tags/xz/index.xml b/tags/xz/index.xml
index 021c3bb..b4c04e5 100644
--- a/tags/xz/index.xml
+++ b/tags/xz/index.xml
@@ -15,7 +15,7 @@ Check the Resources section for additional links.</p>
 <p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p>
 <p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p>
 <h2 id="timeline" class="headerLink">
-    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip open">
+    <a href="#timeline" class="header-mark"></a>1 Timeline</h2><div class="details admonition tip">
         <div class="details-summary admonition-title">
             <i class="icon fas fa-lightbulb fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i>
         </div>
@@ -55,12 +55,12 @@ He was optimizing his infrastructure and found that ssh was  suspiciously slow.
     <a href="#impacted-components" class="header-mark"></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p>
 <p>Distributions:</p>
 <ul>
-<li>Arch</li>
+<li><a href="https://archlinux.org/news/the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Arch</a></li>
 <li><a href="https://security-tracker.debian.org/tracker/CVE-2024-3094" target="_blank" rel="noopener noreferrer">Debian Sid</a></li>
-<li>Gentoo</li>
+<li><a href="https://bugs.gentoo.org/928134" target="_blank" rel="noopener noreferrer">Gentoo</a></li>
 <li><a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener noreferrer">Fedora 40</a></li>
 <li>Manjaro Testing</li>
-<li>Parabola</li>
+<li><a href="https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/" target="_blank" rel="noopener noreferrer">Parabola</a></li>
 <li>NixOS Unstable</li>
 <li>Slackware</li>
 <li><a href="https://news.opensuse.org/2024/03/29/xz-backdoor/" target="_blank" rel="noopener noreferrer">SUSE Tumbleweed</a></li>