Microsoft Has a Prank for 01/04/2024: So a Company Over 111 Billion Dollars in Debt, With Another Company Unable to Make Any Money, Find 100 Billion Dollars in Between the Sofa Cushions
What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █

Other Recent Techrights' Posts

2026 Microsoft Layoff Rumours: Surely if we had properly-functioning media, then someone would investigate this rather than rely on official statements from Microsoft and WARN notices
Microsofters' SLAPP Censorship - Part 13 Out of 200: Abuse of Process to Make False Accusations of UKGDPR Violations: familiar barrister and same lawyers
What Puts the Brakes on GNU/Linux Adoption on Laptops and Desktops is Monopoly Control (or Monoculture) Over the Distros: Distros that adopt systemd are controlled by IBM and GAFAM
Debian is Dying for Some of the Same Reasons IBM's Fedora is Rapidly Dying: Prioritising CoC censorship, not communities
The Register MS is Again Femmewashing GAFAM (Which Makes Widows) in Exchange for Money: This is a moral issue because they betray or harm women and prop up authoritarian regimes
Gemini Links 16/03/2026: AB 1043, Lagrange Android Beta 47, and Poetry: Links for the day
"Slop-forking" or "Vibe-forking" as the New 'Noble' Plagiarism: New Cloudflare Slop Project?
EPO "Cocaine Communication Manager" - Part VII - Cult Mentality, Mobbing, Nepotism: Does the EPO actually believe in the law?
EPO Strike This Week: contact your national representatives about it
Gemini Links 15/03/2026: "Create Opportunities for Good Things to Happen", DOSbook, and Bitcoin Criticism: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, March 15, 2026: IRC logs for Sunday, March 15, 2026
Pirate Praveen Arimbrathodiyil & Debian denouncing volunteers, hiding romances: Reprinted with permission from Daniel Pocock
Links 15/03/2026: WB Games Montréal Undergoes Layoffs, "Swiss Reject Cuts to Public Broadcasting": Links for the day
Gemini Links 15/03/2026: Messages in Bottles and Audio Streaming in Lagrange for Android: Links for the day
Thrown Under the Microsoft Bus: Microsoft wants disposable contractors
Quitting IBM and "Rumors of an Upcoming RA [Mass Layoffs] in April 2026": Blue layoffs or "RAs" were confirmed upfront by the CFO
GNU/Linux Distro Builders Barely Paid Enough to Pay Basic Bills, Chief of "Linux" Foundation (Not Even Using Linux!) Increases His Own Salary by Over 50% in 5 Years: Salaries or compensation correlate with the ability to exploit people, not to create things
The "Zero-Sum" Fallacy: Fallacies like "zero-sum" - especially in the context of foreign affairs including war - are utterly ruinous
A Happy Birthday to Richard Stallman: Richard Stallman will turn 73
Jürgen Habermas is Dead, But the Politicised, Inherently Corrupt, Corporatised Court for Patents That He Inspired Is Not: In the news throughout the weekend
Mountains of Abuses of Process by Brett Wilson LLP on Behalf of Americans and Sometimes at the Expense of British Taxpayers: a virtual "limited liability"
linuxteck.com FUD by LLM Slop, ubuntupit.com Passes the Slop Baton: Unless they get back to doing long-form authentic articles, as opposed to slop, no good will come out of it
Links 15/03/2026: New Shortages, Lynx Populations Depletion: Links for the day
Sruthi Chandran & Debian Diversity, Favoritism, Hidden Conflicts of Interest: Reprinted with permission from Daniel Pocock
software in the public domain: Reprinted with permission from Alex Oliva
Links 15/03/2026: Slop "Bubble Driving Interest in Chip Alternatives" and Wildlife Erosion Reported: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, March 14, 2026: IRC logs for Saturday, March 14, 2026
Layoffs in Twitter, Facebook, and Microsoft's LinkedIn: There are silent layoffs at Microsoft this month
We Don't Depend on Google and Don't Care for Google: We have our own site search and we don't depend on Google to bring visits/visitors to us
Change of Address at the Hired Guns, Address Removed: Companies tend to alter their 'shell structure' in anticipation of major action
Facebook Layoffs Due to Enormous Debt, Nothing to Do With "Hey Hi" Slop: The lies about "hey hi" in relation to layoffs will only contribute to further public resentment towards: 1) the media and 2) all the slop.
The Good IBM Managers Have Flown Away, All That's Left is the Book-Cooking Loyalists: IBM is just cheating the SEC and shareholders. This seems to be the only thing IBM's management is nowadays good at.
Microsofters' SLAPP Censorship - Part 12 Out of 200: Months Ahead of Serial Strangler From Microsoft Who Helped Double the Lawsuits (Funded by Third Parties) as 'Revenge' for Exposing Crimes: In 2024 I sat down and wrote about what had been done to me and to my wife
Crime Comes in Many Forms: apparently the SRA is OK with stranglers of women in America bullying the media in the UK
commandlinux.com, linuxteck.com, linuxiac.com, and linuxsecurity.com are Slopfarms With "Linux" in Their Domain Name: once readers realise they read slop they immediately lose interest
Links 14/03/2026: Adoption of Slop Has Killed BuzzFeed, Russia Sees "Economic Gain From Iran War": Links for the day
Patriotism is Conditional, If It's Unconditional, Then It's Like a Cult: My love for Software Freedom is only as strong as my love for Freedom of the Press
Links 14/03/2026: Mass Layoffs at Facebook ('Meta') and Sweeping Layoffs at Twitter (xAI), Social Control Media and Slop Are Only Debt: Links for the day
Wrong Time, Wrong Place (Digg): Kevin Rose and Alexis Ohanian can relaunch Digg.com, but we doubt it'll work "this time for real!"
Universities Became Bad Places for Work: What happened to academia?
Reporting New and Suppressed Information is What Journalism is All About: In the domain of Free software, there are very few sites out there that offer exclusive coverage on community affairs and there are many gagging/censorship attempts
The Limits of Speech and the Rationale of Limitations: it seems to be part of an international trend
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, March 13, 2026: IRC logs for Friday, March 13, 2026
Gemini Links 14/03/2026: Goodness, AD534 Multiplier Module, and Extroverts Online: Links for the day