556: The xz Backdoor Exposed π¨
31 March 2024
We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.
Sponsors
Tailscale
Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!
Kolide
Kolide is a device trust solution for companies with Okta, and they ensure that if a device isnβt trusted and secure, it canβt log into your cloud apps.
Episode Links
- π₯ Gets Sats Quick and Easy with Strike
- π» LINUX Unplugged on Fountain.FM
- oss-security mailing list β Backdoor in upstream xz/liblzma leading to ssh server compromise.
- Fedora Announcement
- Debian Announcement
- Ubuntu Announcement
- Kali Linux Announcement
- Arch Linux Announcement
- Gentoo Announcement
- openSUSE Tumbleweeed Announcement
- NixOS Unstable Discussion
- Why does it take two weeks for NixOS to replace xz?
- Andres Freund on Mastodon β I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc….
- rwmj on Hacker News β Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"
- A Microcosm of the interactions in Open Source projects β Make no mistake. This is the way it works. It needs to change.
- Devuan GNU/Linux on X β Devuan is not affected by the latest vulnerability caused by systemd.
- systemd PR: Dynamically load compression libraries
- Matteo Croce on X β I'm the author of such PR. While I absolutely didn't know that libxz had a backdoor, I really think that libraries should be loaded on-demand when rarely used, hence my change :)
- Ryan C. Gordon on X β This is probably how the xz thing happened, right?
- Jan Wildeboer on the Fediverse β Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO.
- Unplugged Core Membership
- TXLF is coming up! β April 12 - 13 in Austin, Texas.
- LFNW coming up! β April 26 - 28
- Mobile Game Ads Are Boosting Podcast Follower Counts β Wondery, iHeart and Lemonada Media are all using a non-public product from MowPod - which gives extra lives and game credits to gamers if they follow shows on Apple Podcasts from game apps.
- MowPod's podcast promotion tools: tales from the bar
- fortydeux's NixOS Configs
- Prism Launcher β An Open Source Minecraft launcher with the ability to manage multiple instances, accounts and mods.
- World Backup Day β March 31st β One small accident or failure could destroy all the important stuff you care about.
- Updating Our Fiddly Bits | LINUX Unplugged 494
Sponsors
Tailscale
Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!
Kolide
Kolide is a device trust solution for companies with Okta, and they ensure that if a device isnβt trusted and secure, it canβt log into your cloud apps.