quotingThe xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.
nevent1q…nmea
What you need to know:
- The backdoored version did not make it into any stable distros
- It was caught about a month after it was introduced
- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)
- It only affected the binary releases, so if you build from source, you were safe from this one
- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why
Get the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4
Enki on Nostr: This whole circumstance still kind of blows my mind. ...
This whole circumstance still kind of blows my mind.