xz backdoor
im late to the xz backdoor party by 4 days but whatever
so uh last weekend a backdoor on liblzma was discovered and this is so crazy
so one of the guys that maintained the project although not the real maintainer of the project
the real maintainer was away for mental health reasons
was contributing to the project for 2 years getting the trust of the community, decided to put a backdoor on the upstream tarballs of the project, not the git repository, although the malicious tarballs inside the tarball was in both the git repository and the upstream tarballs (i hope this isnt confusing)
the guy responsible is JiaT75 and i already reported him on github and i advise you to do so too and the xz repository was already disabled by github about 1 day after the drama
this happened on march 29 and all affected distros should be fixed by now if you update your system or something
the backdoor seems to allow some form of remote-access or remote code execution on sshd and makes ssh logins more slower than usual. you can read more on the sources below.
sources
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/issues/92 (repository disabled on date of publish)
- https://nvd.nist.gov/vuln/detail/CVE-2024-3094