Microsoft Has a Prank for 01/04/2024: So a Company Over 111 Billion Dollars in Debt, With Another Company Unable to Make Any Money, Find 100 Billion Dollars in Between the Sofa Cushions
What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

Backdoor in xz: What We Know So Far

posted by Roy Schestowitz on Mar 31, 2024

libzma updated

Many people are patching a hole, a deliberate hole, and many have not done so yet (many are on holiday so they don't even know). Set aside the fact that the hole can be traced back to Microsoft's GitHub (proprietary) and those developers who didn't rush to grab the latest from Microsoft's GitHub are generally safe.

It's not really an issue attributed to Microsoft's GitHub. The choice of Microsoft's GitHub is a symptom however.

All the major distros, save Debian, issued a statement on the matter (see the links here or coverage in Gemini; we've collected about 20 references).

Right now in IRC (of Techrights and SoylentNews) people talk about it. Some wish to know who's responsible for this.

We don't have all the answers yet (many haven't patched their systems either) and "the media" isn't very active right now. Here is one interesting take on it: "Here’s what we know so far: some time ago, an unknown party evidently noticed that liblzma (aka xz) — a relatively obscure open-source compression library — was a dependency of OpenSSH, a security-critical remote administration tool used to manage millions of servers around the world. This dependency existed not because of a deliberate design decision by the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd." (via Peter N. M. Hansteen)

BSDs and operating systems without systemd (Linux is not impacted) have nothing to worry about. I've updated my Debian systems. Have you? Hurry up. █

Other Recent Techrights' Posts

The "Alicante Mafia" - Part IX - EPO Budget Funnelled Into Cocaine and Moreover Rewards Cocaine-Addicted Management for Getting Busted by Police: Any day that passes without European media and European politicians doing anything about it merely discredits the media and the EU (or national governments)
How Microsoft Will Tell Shareholders That the Business is Failing in a Few Days: It'll resort to "AI" storytelling (lying about slop having potential for some unspecified future year)
Flying to See Today's Talk by Richard Stallman: It's probably not too late to reserve a seat for today's talk
The Fall of Freenode Didn't Kill IRC and the Web's Issues (Not Limited to LLM Slop) Didn't Kill Everything: As long as there are enough people willing to keep the simple (or "old") stuff it'll refuse to die
GAFAM Layoffs by Performance Improvement Plans (PIPs) Hide the Real Scale of Their Financial Troubles: the "official" numbers of layoffs will never tell the true story
'Domesticated' Animals Not More Valuable Than Free-range Wildlife, Proprietary ('Commercial') Software Isn't Better Than Free Software: the proprietary software giants (companies like SAP or Microsoft) have a lot of lobbyists
Richard Stallman Won't Talk About "AI", He'll Talk About Chatbots and LLMs Lacking Any Intelligence: This really irritates people who dislike the message; so they attack the person
Slopfarms Still Fed by Google, Boosting Fake 'Articles' That Pretend to Cover "Linux": At this point about 80-90% of the search results appear not to be slopfarms
Gemini Links 23/01/2026: The Danish Approach to Deepfakes and Random vi Things: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, January 22, 2026: IRC logs for Thursday, January 22, 2026
Five Years Ago, After We Broke the Story About Richard Stallman Rejoining the FSF's Board, All Hell Broke Loose (for Me and My Family): They generally seem to target anyone who thinks Richard Stallman (RMS) should be in charge or thinks alike about computing
Links 22/01/2026: Slop Fantasy About Patents, Retirement in China Now Reached at Age Seventy: Links for the day
Gemini Links 22/01/2026: Why Europe Does Not Need GAFAMs, XScreenSaver Tinkering, FlatCube: Links for the day
Salvadorans' Usage of GNU/Linux Measured at Record Levels: All-time high
Links 22/01/2026: Ubisoft Layoffs Disguised as "RTO", US "Congress Wants To Hand Your Parenting To GAFAM", Americans' Image Tarnished Among Canadians (Now Planning to "Repel US Invasion"): Links for the day
10 Easy Steps to Follow for Digital Sovereignty in Nations That Distrust GAFAM et al: When "enough is enough"
No, the Problem at IBM/Red Hat Isn't Diversity: Microsoft Lunduke also openly shows his admiration for Pedo Cheeto
Do Not Link to Linuxiac Anymore, Linuxiac Became a Slopfarm: now Linuxiac is slop
Dr. Andy Farnell Explains Why Slop Companies Like Anthropic and Microsoft 'Open' 'AI' Basically Plunder and Rob People: This article was published last night at around 10
Richard Stallman (RMS) at Georgia Tech Tomorrow: After the talk we'll write a lot about "cancel culture" and online mobs fostered and emboldened in social control media
Software Patents by Any Other Name: There is no such thing as "AI" patents
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, January 21, 2026: IRC logs for Wednesday, January 21, 2026
The "Alicante Mafia" - Part VIII - Salary Cuts to Staff, 100,000 Euros to Managers Busted Using Cocaine (for Doing Absolutely Nothing, Just Pretending to be "Sick"): Today we look at slides from the union
Gemini Links 22/01/2026: Forest Monk, Aurora Observation, and Arduino Officially Launches the More Powerful Arduino UNO Q 4GB Single-Board Computer: Links for the day
Next Week is Close Enough for Wall Street Storytelling About 'Efficiency' by Layoffs for "AI": This coming week GAFAM and others will tell some creative tales about how "AI" something something...
Google News Still a Feeder of Slop About "Linux", Which Became Rarer in 2026: Our main concern these days is what happened to Linuxiac. Bobby Borisov became a chatbots addict.
Links 21/01/2026: "Snap Settles Lawsuit on Social Media Addiction" and Attempts in the US to Revive Software Patents: Links for the day
Links 21/01/2026: Microsoft 'Open' 'Hey Hi' in More Trouble, US Has "Brown Shirts" Problem: Links for the day
Yesterday Afternoon The Register MS Published Paid Microsoft SPAM Disguised as an Article About "AI PCs": The Register MS cannot help itself, can it? [...] Follow the money.
Microsoft's XBox is in Effect Dead Already, Now It's a Streaming and Advertising Platform: Expect many layoffs soon
Richard Stallman's Talk at Georgia Tech is Just 2 Days Away: We're still curious to see how malicious people (or trolls) in social control media will try to slant his talk as "bad"
EPO's Web Site Misused for Propaganda About Illegal Kangaroo Courts to Distract From EPO Scandals and Judicial Crisis in Europe: UPC is illegal and unconstitutional
The "Alicante Mafia" - Part VII - The Industrial Actions Began Yesterday, Here's Why: The "Alicante Mafia" might not last much longer
Gemini Links 21/01/2026: Edible Circuits and "Sayonara HTTP": Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, January 20, 2026: IRC logs for Tuesday, January 20, 2026
IBM Hides Its Own Destruction (and Red Hat's): It's like scenes out of '1984', which is what a now-famous advertisement from Apple compared IBM to