556: The xz Backdoor Exposed 🚨

We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.Sponsored By:Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!Kolide: Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps.Support LINUX UnpluggedLinks:💥 Gets Sats Quick and Easy with Strike📻 LINUX Unplugged on Fountain.FMoss-security mailing list — Backdoor in upstream xz/liblzma leading to ssh server compromise.Fedora AnnouncementDebian AnnouncementUbuntu AnnouncementKali Linux AnnouncementArch Linux AnnouncementGentoo AnnouncementopenSUSE Tumbleweeed AnnouncementNixOS Unstable DiscussionWhy does it take two weeks for NixOS to replace xz?Andres Freund on Mastodon — I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc....rwmj on Hacker News — Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"A Microcosm of the interactions in Open Source projects — Make no mistake. This is the way it works. It needs to change.Devuan GNU/Linux on X — Devuan is not affected by the latest vulnerability caused by systemd.systemd PR: Dynamically load compression librariesMatteo Croce on X — I'm the author of such PR. While I absolutely didn't know that libxz had a backdoor, I really think that libraries should be loaded on-demand when rarely used, hence my change :)Ryan C. Gordon on X — This is probably how the xz thing happened, right?Jan Wildeboer on the Fediverse — Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO.Unplugged Core MembershipTXLF is coming up! — April 12 - 13 in Austin, Texas.LFNW coming up! — April 26 - 28Mobile Game Ads Are Boosting Podcast Follower Counts — Wondery, iHeart and Lemonada Media are all using a non-public product from MowPod - which gives extra lives and game credits to gamers if they follow shows on Apple Podcasts from game apps.MowPod's podcast promotion tools: tales from the barfortydeux's NixOS ConfigsPrism Launcher — An Open Source Minecraft launcher with the ability to manage multiple instances, accounts and mods.World Backup Day — March 31st — One small accident or failure could destroy all the important stuff you care about.Updating Our Fiddly Bits | LINUX Unplugged 494