OVE-20221017-0001: Add paragraph about possible RCE (#559)

author: Samuel Dionne-Riel <samuel@dionne-riel.com> 2022-10-17 17:34:00 -0400
committer: GitHub <noreply@github.com> 2022-10-17 17:34:00 -0400
commit: 6c69164a590451ab98ed7463b612dfd99ab8186f (patch)
tree: dd05c55dfcb92cdf222bc1bcab7aa9c4329c3186 /blog
parent: accdfcb50440a51998dcfb34cef4af1c9bea56a9 (diff)
download: xesite-6c69164a590451ab98ed7463b612dfd99ab8186f.tar.xz
xesite-6c69164a590451ab98ed7463b612dfd99ab8186f.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/blog/OVE-20221017-0001.markdown b/blog/OVE-20221017-0001.markdown
index 1ca7f01..2726404 100644
--- a/blog/OVE-20221017-0001.markdown
+++ b/blog/OVE-20221017-0001.markdown
@@ -23,6 +23,10 @@ It is unknown at this time if PolyMC is compromised, but software like this
 being in the hands of reactionaries is a very sketchy situation. I am monitoring
 this situation and will give updates when I can.
 
+It is unknown if it is safe to run existing installations of PolyMC, as [it
+reportedly fetches metadata about .jar files to run at runtime](https://github.com/NixOS/nixpkgs/issues/196460)
+from a now presumably untrustworthy service.
+
 If you are a user of PolyMC, it may be best to uninstall it until we can get
 more information about this emerging situation. I am treating this as a
 compromise of the upstream because that is the least bad way to describe this.
author	Samuel Dionne-Riel <samuel@dionne-riel.com>	2022-10-17 17:34:00 -0400
committer	GitHub <noreply@github.com>	2022-10-17 17:34:00 -0400
commit	6c69164a590451ab98ed7463b612dfd99ab8186f (patch)
tree	dd05c55dfcb92cdf222bc1bcab7aa9c4329c3186 /blog
parent	accdfcb50440a51998dcfb34cef4af1c9bea56a9 (diff)
download	xesite-6c69164a590451ab98ed7463b612dfd99ab8186f.tar.xz xesite-6c69164a590451ab98ed7463b612dfd99ab8186f.zip