im late to the xz backdoor party by 4 days but whatever

so uh last weekend a backdoor on liblzma was discovered and this is so crazy

so one of the guys that maintained the project although not the real maintainer of the project

the real maintainer was away for mental health reasons

was contributing to the project for 2 years getting the trust of the community, decided to put a backdoor on the upstream tarballs of the project, not the git repository, although the malicious tarballs inside the tarball was in both the git repository and the upstream tarballs (i hope this isnt confusing)

the guy responsible is JiaT75 and i already reported him on github and i advise you to do so too and the xz repository was already disabled by github about 1 day after the drama

this happened on march 29 and all affected distros should be fixed by now if you update your system or something

the backdoor seems to allow some form of remote-access or remote code execution on sshd and makes ssh logins more slower than usual. you can read more on the sources below.

sources

  1. https://www.openwall.com/lists/oss-security/2024/03/29/4
  2. https://github.com/tukaani-project/xz/issues/92 (repository disabled on date of publish)
  3. https://nvd.nist.gov/vuln/detail/CVE-2024-3094