Bonum Certa Men Certa

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up.

Other Recent Techrights' Posts

Links 14/04/2024: Tesla and OpenAI (Microsoft) Layoffs Floated in the Media
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 13, 2024
IRC logs for Saturday, April 13, 2024
Gemini Links 13/04/2024: SEO Spam and ‘Broadband Nutrition Label’
Links for the day
Gemini Links 13/04/2024: GmCapsule 0.7 Released
Links for the day
Links 13/04/2024: Whistleblowers, OpenAI and Microsoft Leakers
Links for the day
'Our' Technology Inside the Home is Becoming Less Reliable and It Implements the Vision of Orwell's '1984' (Microphones and Cameras Inside Almost Every Room)
Technology controlled by who exactly?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 12, 2024
IRC logs for Friday, April 12, 2024
Google, FSFE & Child labor
Reprinted with permission from the Free Software Fellowship
Links 13/04/2024: Huawei and Loongson PCs, IBM Layoffs
Links for the day
Gemini Links 13/04/2024: Specification Changes and Metaverse Newbie
Links for the day
Links 12/04/2024: Big Brother in the Workplace and Profectus Browser Alpha 0.3
Links for the day
[Video] Trainline Finally Issues a Refund, But It Took 9 Days and Showed How 'Modern' Systems Fail Travelers
They treat people like a bunch of animals or cattle, not like valuable customers
WIPO UDRP D2024-0770 Debian vendetta response
Reprinted with permission from Daniel Pocock
Links 12/04/2024: Reporters Without Borders Rep Kicked Out of Hong Kong
Links for the day
Gemini Links 12/04/2024: Funny Thing, Manual Scripts, and More
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, April 11, 2024
IRC logs for Thursday, April 11, 2024