Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
Introduction In March 2024, a backdoor was discovered in xz, a (de)-compression software that is regularly used at the core of Linux distributions to unpack...
Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).
In late March 2024, the open source community discovered a backdoor in XZ Utils, a suite of tools that use the xz compression algorithm. The xz backdoor was embedded inside liblzma, and took effect when liblzma was used in OpenSSH, a common remote-login tool. You can read about this extensively in many places elsewhere. Since then, many people leveraged the xz backdoor to highlight their favorite systemic issue in open source. Jen Easterly, the head of CISA, argued that the only way to stop another backdoor is by having more corporate support for open source. This opinion was echoed by Meredith Whitaker, the CEO of Signal. A similar opinion among developers is that the only way to secure the open source ecosystem is by offering some sort of Universal Basic Income (UBI) so that developers can work on open source full time.
xz-utils backdoor situation (CVE-2024-3094). GitHub Gist: instantly share code, notes, and snippets.