Microsoft Has a Prank for 01/04/2024: So a Company Over 111 Billion Dollars in Debt, With Another Company Unable to Make Any Money, Find 100 Billion Dollars in Between the Sofa Cushions
What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █

Other Recent Techrights' Posts

Links 07/02/2025: Amazon’s Stock Collapses and US Government Being Dismantled (Still): Links for the day
Slopwatch: Carnival of LLM Slop and FUD Spewed by Bots, Pasted in by MaKenna Hensley and Day: Welcome to the Web in 2025. Articles about "Linux", "Security", and the Web (e.g. "Firefox") are fake.
Links 08/02/2025: News Corp Admits Traffic Declines, Wildlife Trafficking Tackled: Links for the day
Gemini Links 08/02/2025: Lamp and Notions: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, February 07, 2025: IRC logs for Friday, February 07, 2025
Gemini Links 07/02/2025: Mid-level Details and Simple Code: Links for the day
Links 07/02/2025: US 'Demolition Crew', e-ID Loopholes, and Sanctions: Links for the day
Professor Eben Moglen on How Social Control Media Metabolises Humans and Constrains Freedom of Thought: Nothing of value would be lost if all these data-harvesting giants (profiling people) vanished overnight
Social Control Media is Narcissism: Nowadays there's a lot more literature and even press coverage explaining the harms of Social Control Media
Debian Left Twitter (MElon "X"), We Think the Free Software Foundation (FSF) Should Do the Same: What would the FSF really lose if it stopped posting there?
statCounter Sees GNU/Linux Share Doubling in China Over the Past Year: It'll be interesting to see what data in the coming months shows
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, February 06, 2025: IRC logs for Thursday, February 06, 2025
Richard Stallman (RMS) Confirms Next Week's Talk in Europe: He gave at least 2 talks in Europe last month
Nationalism As A Service (NaaS) by Microsoft Azure, Gutting the US Government for Profit: Will Microsoft be receiving bailouts as a reward for all this?
Rumours of IBM Layoffs Apparently Confirmed Yesterday, IBM Canada Consulting Impacted (as Rumoured): when IBM has layoffs we must also read it as Red Hat layoffs
Tons of Anti-Linux 'Articles' Published by Bots (LLMs), Maybe Microsoft's: Upon closer inspection, all this FUD turned out to be LLM garbage
Gemini Links 06/02/2025: Voicemail Sucks and Night of Lights: Links for the day
Ubuntu Desktop Director of Engineering Has Only One Blog Post. It Promotes Microsoft Windows.: Remember that even 15 years ago (more or less, maybe 16 years ago) Canonical appointed a a 'former' Microsoft manager (Spencer) to lead Ubuntu on the desktop
Links 06/02/2025: YouTube Takedowns Out of Control, 'DOGE' Breaking Laws: Links for the day
IBM Red Hat on "era of cloud computing", pushing "hey hi" (AI) hype in Microsoft Azure: LLM slop might actually be more benign than Microsoft promotion
Corruption and Rule-Breaking Prevail at the European Patent Office (EPO), Europe's Second-Largest Institution: The law does not really exist at the EPO; it can be perceived as merely a "recommendation"
statCounter: More Countries Where Windows is Around 1% "Market Share" (People Have Moved to Android/Linux): in some nations Windows is already 1% or less
404 Media Says "Workers at NASA Told to Drop Everything to Scrub Mentions of Indigenous People, Women from Its Websites" But There's Also Accessibility in the Firing Line: In the case of abandoning accessibility, everyone stands to be hurt and proprietary software can be brought in to replace standards
When BetaNews Writes Real Articles About "Linux" They Promote Windows: The Web is in a bad state. We need to at least try to correct this.
Gemini Links 06/02/2025: Cynicism and "Real Magic on the C64": Links for the day
Links 06/02/2025: New Sanctions, Layoffs, and Executive Orders: Links for the day
Distros and Desktop Environments, Devices: GNU/Linux focused
New Rumours of IBM Layoffs in 2025, IBM Consulting Still Struggles, Based on Management: "Hey hi" (AI) has been a common excuse for business failure
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, February 05, 2025: IRC logs for Wednesday, February 05, 2025