Home
cover of episode 556: The xz Backdoor Exposed 🚨

556: The xz Backdoor Exposed 🚨

2024/4/1
logo of podcast LINUX Unplugged

LINUX Unplugged
Frequently requested episodes will be transcribed first

Shownotes Transcript

We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.

Sponsored By:

Support LINUX Unplugged)

Links:

  • πŸ’₯ Gets Sats Quick and Easy with Strike)
  • πŸ“» LINUX Unplugged on Fountain.FM)
  • oss-security mailing list) β€” Backdoor in upstream xz/liblzma leading to ssh server compromise.
  • Fedora Announcement)
  • Debian Announcement)
  • Ubuntu Announcement)
  • Kali Linux Announcement)
  • Arch Linux Announcement)
  • Gentoo Announcement)
  • openSUSE Tumbleweeed Announcement)
  • NixOS Unstable Discussion)
  • Why does it take two weeks for NixOS to replace xz?)
  • Andres Freund on Mastodon) β€” I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc....
  • rwmj on Hacker News) β€” Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"
  • A Microcosm of the interactions in Open Source projects) β€” Make no mistake. This is the way it works. It needs to change.
  • Devuan GNU/Linux on X) β€” Devuan is not affected by the latest vulnerability caused by systemd.
  • systemd PR: Dynamically load compression libraries)
  • Matteo Croce on X) β€” I'm the author of such PR. While I absolutely didn't know that libxz had a backdoor, I really think that libraries should be loaded on-demand when rarely used, hence my change :)
  • Ryan C. Gordon on X) β€” This is probably how the xz thing happened, right?
  • Jan Wildeboer on the Fediverse) β€” Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO.
  • Unplugged Core Membership)
  • TXLF is coming up! ) β€” April 12 - 13 in Austin, Texas.
  • LFNW coming up!) β€” April 26 - 28
  • Mobile Game Ads Are Boosting Podcast Follower Counts) β€” Wondery, iHeart and Lemonada Media are all using a non-public product from MowPod - which gives extra lives and game credits to gamers if they follow shows on Apple Podcasts from game apps.
  • MowPod's podcast promotion tools: tales from the bar)
  • fortydeux's NixOS Configs)
  • Prism Launcher) β€” An Open Source Minecraft launcher with the ability to manage multiple instances, accounts and mods.
  • World Backup Day β€” March 31st) β€” One small accident or failure could destroy all the important stuff you care about.
  • Updating Our Fiddly Bits | LINUX Unplugged 494)