Replying to Avatar Dr. Hax

The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.

What you need to know:

- The backdoored version did not make it into any stable distros

- It was caught about a month after it was introduced

- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)

- It only affected the binary releases, so if you build from source, you were safe from this one

- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why

Get the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4

Avatar
Enki 1y ago

This whole circumstance still kind of blows my mind.

nostr:nevent1qqsppca5hst8f6ew34l8qzsnr654m0cc7cd04xmgzpad2gyaxfd4qcqpvemhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0dec82c33vah8wurrw3jx2cesv9snqvrgveungmrkv9jxvar4xquxxcmn8ymrwdmdwgmnx6pev3j8vvn6wemnsen489ek6mt9wfe8z0mzwfhkzerrv9ehg0t5wf6k2q3q6v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gsxpqqqqqqzefnmea

Reply to this note

Please Login to reply.

Discussion

Avatar
Dr. Hax 1y ago

What's really gonna bake your noodle later on is, how many times has this happened before and nobody caught it?

Avatar
Enki 1y ago

Yeah that's definitely a scary side of this.

da
Rand 1y ago

does this effect me?