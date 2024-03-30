« previous post |

Evan Boehs, "Everything I Know About the Xz Backdoor", 3/29/2024:

In April 2022, Jia Tan submits a patch via a mailing list. The patch is irrelevant, but the events that follow are.

[h/t Jonathan Lundell]

If you're not already aware, you can learn about the xz backdoor on reddit or on OpenSSF — from the second source:

A backdoor in upstream xz/liblzma was announced on the oss-security mailing list regarding the xz compression tools and libraries. Specifically, the issue with the xz libraries are with version 5.6.0 and 5.6.1, and users are urged to immediately stop usage and downgrade to xz-5.4.x.

This vulnerability in XZ Utils – the XZ format compression utilities included in most Linux distributions – may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns. However, they note “Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.”

