Episode Details
Back to Episodes556: The xz Backdoor Exposed π¨
Published 1Β year, 11Β months ago
Description
We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.
Sponsored By:
- Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!
- Kolide: Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps.
Links:
- π₯ Gets Sats Quick and Easy with Strike
- π» LINUX Unplugged on Fountain.FM
- oss-security mailing list β Backdoor in upstream xz/liblzma leading to ssh server compromise.
- Fedora Announcement
- Debian Announcement
- Ubuntu Announcement
- Kali Linux Announcement
- Arch Linux Announcement
- Gentoo Announcement
- openSUSE Tumbleweeed Announcement
- NixOS Unstable Discussion
- Why does it take two weeks for NixOS to replace xz?
- Andres Freund on Mastodon β I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc....
- rwmj on Hacker News β Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"
- A Microcosm of the interactions in Open Source projects β Make no mistake. This is the way it works. It needs to change.
- Devu