Evan B🥥ehsMar 29, 2024

Unfolding now: https://news.ycombinator.com/item?id=39865810

- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux

Backdoor in upstream xz/liblzma leading to SSH server compromise | Hacker News

Show threadEvan B🥥ehsMar 29, 2024

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Everything I know about the XZ backdoor

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

Show threadWildcarde
@eb well.. everything about this seems awful.
Mar 29, 2024 at 7:50pmWeb