Kevin BeaumontMar 29, 2024

HT to @wdormann here - somebody has backdoored the open source project XZ which has downstream impacts.

For example, although OpenSSH doesn’t use XZ, Debian patch OpenSSH and introduced a dependency which translates as the XZ changes introducing a sshd authentication bypass backdoor it appears.

One dude bothered to investigate in his free time about why ssh was running slow, so it was caught fairly early - i.e. hopefully before distros started bundling it.

https://www.openwall.com/lists/oss-security/2024/03/29/4

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

Show threadKevin BeaumontMar 29, 2024
Worryingly it looks like the backdoor comes via one of the two main devs and dates back over a month from their GitHub account, with legit commits too - XZ is used in systemd so this one might play out for a while.
Show threadEd MasteMar 29, 2024
@GossiTheDog We're incredibly lucky that it wasn't more sophisticated, or it may have gone unnoticed for a long time.
Show threadAlex
@emaste @GossiTheDog Pretty wild that the implication is that this particular backdoor was only caught because it was coded badly enough to have a significant performance impact. What if it’d been better written, I wonder?
Mar 29, 2024 at 5:25pmWeb