Microsoft Has a Prank for 01/04/2024: So a Company Over 111 Billion Dollars in Debt, With Another Company Unable to Make Any Money, Find 100 Billion Dollars in Between the Sofa Cushions
What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █

Other Recent Techrights' Posts

Saving the Planet With Honesty, Transparency, and Sharing (Not Only of Computer Code): GAFAM is destroying the only habitat humans and other animals have and it'll only get worse
Disinformation About Election Outcomes Even Before Any Election Outcomes (or Election/Voting!): seeding doubt about election outcomes
Against Outsourcing of Sites and E-mail: Software Freedom is great, but it is not enough if you let someone else do it 'for you'
Drew DeVault: People Talking About My Attack Site (Against the Founder of GNU/Linux) is "Spam": "Spam on sr.ht mailing lists"
"Oppose the Fascist": what the founder of GNU/Linux said
Halloween, All Saints Day & Swiss citizenship: Reprinted with permission from Daniel Pocock
How Voting Does Not Work: You cannot vote from an "app"
Links 05/11/2024: Bluesky and Enshittification, Pugad Baboy, and Lots of Disinformation Flooding the Web: Links for the day
[Meme] Sweaty Under the Belly: "OK, my critics are 'spam'"
Microsoft Bribing Canonical (to Stop Competing) and Bribing Users to Shun the Competition: Canonical is worth shunning
[Meme] The 2024 'Info Bros': And prehistoric googling
Computers Getting Worse (for the User) Over Time: This is like Windows-ism coming to "Linux" through the hardware
[Meme] How NOT to Vote: Another form of (mostly-unspoken-of) election interference
An LLM Inside a 'Search' Engine Means That Companies Tell You What They Want, Not What Web Pages to Visit: The future of 'googling' things might be as unreliable as using Social Control Media as a source of information
Google's Debt Has Increased and 'Cash on Hand' Fell by 22.27% This Past Year: These are the numbers that the corporate media intentionally leaves out
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Monday, November 04, 2024: IRC logs for Monday, November 04, 2024
There's a Reason Why Techrights is Turning 18 and Tux Machines Will Turn 20.5 Next Month: I started advocating GNU/Linux when I was a teenager
Techrights Has a Long History of Fighting to Expose 'Team Mono' or Microsofters Inside GNOME: Never downplay the malice of Microsoft and its operatives
Gemini Links 05/11/2024: Halloween Over, Intention and Implementation, Bookmark Syncing: Links for the day
Microsoft Lost Nearly Half of Its 'Cash Reserves' This Past Year: Is Microsoft (MSFT) the next Intel (INTC)?
The Year Isn't Over Yet, There Will be More Waves of Microsoft Layoffs: Nowadays Microsoft just tries to conflate/equate its energy waste with "value"
The Corporate Media Blasted Bitcoin for Destroying the Planet and Must Do the Same to Incite the Public Against the 'Great Rigging of Wall Street' (Under the Guise of "AI", the Latest Gold Rush): "AI" is the next "metaverse" (trailing by a few months)
[Video] Richard Stallman is Back to Halo and Gown (in Peru) With 2+ Hours of a Public Talk: The globetrotting Richard Stallman gave many talks at the end of last month
Going Strong Against the Wind: the abuse serves to emphasise or affirm the importance of what we do
Links 04/11/2024: Squashing More Software Patents and Taiwan at Risk: Links for the day
Gemini Links 04/11/2024: Typing vs Writing and a Smol (Net) Pub: Links for the day
Links 04/11/2024: LibreOffice Had Adopted PeerTube, "Hey Hi" Hype is a Threat to the Energy Grids (Worse Than Fake-Coins): Links for the day
[Meme] Social Control Telescreens With Microphone: Nineteen Eighty-Four
Shout-out to Christine From FOSSForce: Who noticed our short story
Not Boycotting Apple (Yet)?: "Apple Forces The Signing Of Applications In MacOS Sequoia 15.1"
statCounter This Month: Android Has Nearly Become Twice as Big as Windows: If it happened, it would be an unprecedented milestone
Why Technical Sites Need Not Make Political Recommendations or Endorsements: Except perhaps when it's for some purely technical role, e.g. FCC chief
[Meme] Apple Freedom: Freedom is... the ability to purchase as many 'i' things as you want
Apple's MacOS Shows Us the Vision of Computing That GAFAM Has for Us (Digital Prisons): Freedom means "we the people" should be in control, not people being controlled by corporations (contemporary slaveowners)
"Active" as in One URL, One Emoji, and 4 Words in One Week: Diversity community in Fedora
Apple Vision Pro Has Failed, Just Like "Metaverse": Vision Pro lacks software
Things That Can Improve Election Integrity: the first two relate to "tech"
Rigging Elections is Difficult, Cheating a Little is Not: Avoid social control media, it is the biggest rigger of all
"People who live in glass houses shouldn't throw stones": On throwing stones in a glass house
Our Stance on Electronic (or Digital) Voting Machines: The simple activity of voting and counting ballots does not require thousands of complex machines with hundreds of millions of transistors and hundreds of millions of lines of code
Microsoft and "Retrospective Re-writing of History...": in YouTube anyone can make stuff up (as one goes along)
This Coming Week: Go exercise your right to vote
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, November 03, 2024: IRC logs for Sunday, November 03, 2024
Reddit is (Still) Lying and Faking: Don't fall for this phony idea that the above sites are grassroots or edgy; they're not
GNU/Linux Users Are Not Cheaters: The bottom line is, most cheaters use Windows
Links 04/11/2024: FCC, Broadband Industry Spar Over Net Neutrality; Software Patent Squashed: Links for the day
Gemini Links 03/11/2024: Official MyGemini.Space Announcement: Links for the day
Gemini Links 03/11/2024: Election Thoughts, Plagiarism, and LLM Slop: Links for the day
Links 03/11/2024: Deere 'Right to Repair' (RoR) and "Threads Bans Anyone For Mentioning Hitler": Links for the day
[Video] "El Movimiento del Software Libre y el Sistema Operativo GNU" by Richard M. Stallman: The footage is a bit jittery (taken with a phone apparently, and there's no tripod available), but the sound is OK and the words (in Spanish) are comprehensible
Android at New Highs (47%), Windows at New Lows (24%), Suggests Latest Data From statCounter: So the market share of Android is about double that of Windows
[Video] Richard Stallman's Talk in Spanish (in Peru Last Week): Alternative URLs too
The Media Focuses on the Wrong Scandal: The real scandal at MIT was Gates
Gemini Links 03/11/2024: Fantasy Life Day and Worship: Links for the day
[Meme] Write Us Drivers and GTFO!: When you realise sanctioning BRICS devs goes against the community
Decommissioning Copper Lines Makes Us Less Safe: We've essentially degraded the robustness or reliability of critical systems
Life of an Addicted Lolicon Who Can Also Code: Personal blog as an open diary
[Meme] Reporting Crime is Not a Crime: Obviously!
Manchester Party for Techrights: If you choose to come, of course we'll cover the cost of the food and treats (but not travel)
Privacy is Not a Crime (in Places Where It is a Crime the Regime is Typically Very Rogue): Also, criminals lack "privacy rights" to hide their crimes from the public
GNU/Linux "Market Share" in Lebanon More Than Doubled in a Few Months: Maybe it's a reaction to something? Assassination in Haret Hreik was in July.
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, November 02, 2024: IRC logs for Saturday, November 02, 2024
Nearly 40 Years Without Security Incidents: People who use Windows have come to sort of "accept" that security incidents are part of life or "normal"
[Meme] The Streisand Effect: Simon says, don't bother trying to suppress facts
Streisand Effect at IBM?: Trying to silence your workers isn't the best approach. It only makes colleagues even more curious.
Microsoft is a Gift That Keeps Giving (Future Stories to Techrights): Microsoft has been trying to silence me using dirty tricks for nearly 20 years
Elon Musk Has Trashed Twitter for Ideological Reasons (and Propping Up Trump in Exchange for Financial and Political Favours Once in Public Office): In case you didn't leave Twitter already, consider the fact that Twitter's (or "X"... whatever!) future is uncertain
Wall Street Has Demoted Intel, Seeing There May be No Future to Intel: Intel's loss isn't a loss to us
Free Software Licence Compliance is About Security Too: Linux as de facto proprietary off-the-shelf platform