xz-utils backdoor situation (CVE-2024-3094)

Versions 5.6.0 and 5.6.1 of the XZ compression utility and library were shipped with a backdoo [...]

xz/liblzma Backdoor: Open Source Nuke? Maybe Not That Bad! Story Background On March 29, 2024, a report exposing a backdoor in the upstream source code of the controversial open-source project, the xz software package, was made public on the oss-security mailing list.

There is currently an ongoing discussion on various platforms about a security issue in xz/liblzma, and here is what we know at this time. This post serves as a way to inform the community about our assessment of the impact on nixpkgs. Summary It was discovered that xz from version 5.6.0 started shipping malicious code that would only be executed through its release tarballs. A malicious code path would be executed when running configure and modify the resulting liblzma library. Impact NixOS 2...

Managing insider threats when the whole world is an insider.

In other news: AT&T confirms 2019 data breach; Canonical switches to manual reviews after flood of scam apps; HP leaves Russia.

Heisenberg’s indeterminacy principle formula. Two weeks of links, which includes a collection from the xz debacle. I loved reading these, as this is a good combination of spy story and technology postmortem. If you want to read an overview, read the timeline post. Good podcasts this week: about the Heisenberg principle, and the silencing of climate protesters in the UK. Leadership Getting real with Employee Experience [Podcast] - two good interviews with people active in the area.

Learn about a targeted backdoor supply chain attack against the popular XZ compression utility seen in many Linux distributions such as fedora and debian.

Discover XZ Utils, renowned for high compression & data integrity. Learn about recent CVE-2024-3094 breach.

The past few days have seen the security world focused on the revelation of the xz/liblzma backdoor. For more background, see this early writeup of the issue, this GitHub Gist, this detailed timeli...

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

Please note: This is being updated in real-time. The intent is to make sense of lots of simultaneous discoveries

A malicious backdoor was discovered in xz library that implements LZMA compression. xz, among many other places, is used, indirectly, in sshd. My attempt to explain what happened.

Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream.

As you probably already heard, the xz package got compromised. The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.