Fork me on GitHub
#clojure
<
2024-03-30
>
valerauko06:03:51

I've seen some conflicting stuff about this so I'd love some clarity: does the xz/liblzma backdoor have any direct impact on clojure on the jvm (temurin)?

Alex Miller (Clojure team)13:03:54

Clojure itself does not use or depend on lzma. Can you share links to the conflicting stuff re jvm?

valerauko13:03:31

It was on social media so I'll probably never find it again... Some people claimed that some jdk builds used xz/lzma then others argued that it only concerned certain libs that pulled that specific library in through ffi, but i couldn't track the convo any further

Nundrum15:03:24

There's evidence that the bad actor committed to the xz-java package. So consider that tainted for the time being. I haven't seen anything specifically about xz in any Java builds, but if I do I'll let you know.

Alex Miller (Clojure team)16:03:04

I would be surprised if Java builds used that

Nundrum16:03:01

Oh, definitely not in the Java build. But it's a route for exploits to be in other projects.

valerauko01:03:42

I guess this should be a pretty scary lesson to enterprises about supply chain security huh