The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.
What you need to know:
- The backdoored version did not make it into any stable distros
- It was caught about a month after it was introduced
- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)
- It only affected the binary releases, so if you build from source, you were safe from this one
- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why
Get the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4
Dr. Hax
npub16v…meqha
2024-03-30 19:11:04
Author Public Key
npub16v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gs8meqhaPublished at
2024-03-30 19:11:04Event JSON
{
"id": "10e3b4bc1674eb2e8d7e700a131ea95dbf18f61afa9b68107ad5209d325b5060",
"pubkey": "d30ea98ea65e953f91ab93f6b30ea51eb33c506f87d49f600a139aef00aa9511",
"created_at": 1711822264,
"kind": 1,
"tags": [
[
"r",
"https://www.openwall.com/lists/oss-security/2024/03/29/4"
]
],
"content": "The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.\n\nWhat you need to know:\n- The backdoored version did not make it into any stable distros\n- It was caught about a month after it was introduced\n- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)\n- It only affected the binary releases, so if you build from source, you were safe from this one\n- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why\n\nGet the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4",
"sig": "cddc6b8e5d23ac39432ebecacb7a363671b9affe011234f54fc1b0505edb0cc7d040f176784b29221ea0e1c9f308188c8940343557fb6d6a3fb434eef81f373f"
}