Microsoft Has a Prank for 01/04/2024: So a Company Over 111 Billion Dollars in Debt, With Another Company Unable to Make Any Money, Find 100 Billion Dollars in Between the Sofa Cushions
What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █

Other Recent Techrights' Posts

The Cyber Show: Remember That Code is Art: The article is very long, very profound, and speaks of "the next installation"
Only Days After Mass Layoffs in Microsoft's Azure There Are Headlines About Much-Expected XBox Layoffs: XBox as a console is basically dead or "fast-dying"
SLAPP Censorship - Part 103 Out of 200: Telling People What They Know and Don't Know About Death Threats They Receive: patronising letters sent on behalf of the Serial Strangler from Microsoft
IBM Genies in the Bottle: for ordinary people working who at at IBM, it's not hard to see that IBM is floundering
Links 12/06/2026: "NearlyFreeSpeech" No More, Openwashing by Google (DiffusionGemma): Links for the day
Today There's a Massive EPO Strike (Like Every Friday), Workers Explain Further Cuts Despite the EPO Making More Income by Granting Illegal Patents (or Invalid Patents Illegally): "Recent exchange with the Administration on the implications of the SAP on the Education and Childcare Allowance"
Communicating With Freedom - Part IV - Quibble Now in quibble.chat, Open for Contributions Via Codeberg: Today we continue the series about Quibble
European Patent Office (EPO) Series: The Importance of Having "Pals from the Palacete": for his reappointment bid to succeed, Campinos will need to be able to rely on the support of both the Portuguese Prime Minister, Luís Montenegro, and the President of the European Council, António Costa
Cyber Show on How Updates or Upgrades Break Workflows, Even in Free Software: "We did a big upgrade on the AV production pipeline"
Discussions About IBM Layoffs in June, Including by RTO and PIPs: mass layoffs are becoming increasingly difficult to conceal
Gemini Links 12/06/2026: Decks and Work Essay: Links for the day
"Rolling Strikes" Continue at the European Patent Office, the Administrative Council Needs to Take Action Against Crooked Office Management: This coming weekend we'll talk about some of the other issues and concerns expressed by the union
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, June 11, 2026: IRC logs for Thursday, June 11, 2026
Links 11/06/2026: Disputes Over Copyright Infringement, Failure to Meet Climate Goals, "ChatGPT Caught Recommending “Products” That Are Just Scams": Links for the day
Gemini Links 11/06/2026: Programmable Systems and Slop "is Coming for Your Serifs": Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 10, 2026: IRC logs for Wednesday, June 10, 2026
Links 11/06/2026: LF Openwashing of Slop and "Azerbaijan Bans TikTok and Other Social Media Apps in School": Links for the day
European Patent Office (EPO) Series: The Centre (in Portugal) Falls Apart…: Luís Montenegro became embroiled in a conflict-of-interest controversy
IBM Lost About 18% of Its "Market Value" This Month: In IBM's case, a lot of the latest "pump" was Arvind's "quantum" hype/fantasy
Gemini Links 10/06/2026: Signal to Noise, Cancer, and Permacomputing: Links for the day
Links 10/06/2026: More Microsoft Layoffs, Sweden to "Ban Mobile Phones in Schools": Links for the day
Communities and "Prosumers.": today's meetup will be about community
Gemini and Gopher Links 10/06/2026: Roasting, Changes, and Harms of Slop: Links for the day
Microsoft Azure Shrinking With More Mass Layoffs: "Reports suggest the layoffs will impact close to 200 out of 400 workers, who are set to cease employment at Azure on July 6"
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 09, 2026: IRC logs for Tuesday, June 09, 2026