Unfolding now: https://news.ycombinator.com/item?id=39865810
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2
The timeline on this is going to take so long to unravel
feat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xz
Updates the vendored version of xz to be 5.6.1. Also updates the vendor script to support the addition of SPDX-License-Identifier headers into some files.GitHub
This entry was edited (1 month ago)
Evan Boehs
in reply to Evan Boehs • • •https://boehs.org/node/everything-i-know-about-the-xz-backdoor
I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.
#security #xz #linux
Everything I know about the XZ backdoor
boehs.orgEvan Boehs
in reply to Evan Boehs • • •Glyph
in reply to Evan Boehs • • •Re: [xz-devel] XZ for Java
www.mail-archive.comGlyph
in reply to Glyph • • •