On Sat, Mar 30, 2024 at 1:08 PM Dave Ihnat <dihnat(a)dminet.com> wrote:
Didn't see this go by, but it looks hot enough to risk a repeat posting.
From a friend:
It appears there's been a very serious effort to backdoor sshd on
Linux via the xz compression/decompression system.
https://www.openwall.com/lists/oss-security/2024/03/29/4
If you have anything running very recent Linux, it's worth investigating
whether you're affected.
Lasse Collin, the author of xz, published a statement at
<
https://tukaani.org/xz-backdoor/>.
And to be clear, the bad actor is Jia Tan. Lasse appears to be
collateral damage.
IBM Red Hat says, if you're running Fedora 40 or Fedora
Rawhide:
> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA
> RAWHIDE INSTANCES for work or personal activity.
The identity that did this got to the point of being not only an xz
maintainer but a Linux kernel contributor, and contributed to a number
of other Open Source projects as well over the course of years. The
identity may have been compromised to do this, or may have been created
to do this, and may have used other contributions to build rapport or
to compromise more projects as well.
Jia Tan pulled his shenanigans on libarchive, too:
<
https://github.com/libarchive/libarchive/pull/1609>.
I looked at the detection script available at the URL in the posting.
It's
harmless at worst (don't know yet if it can detect anything).
Here are Debian and Gentoo bugs tracking the issue:
*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
*
https://bugs.gentoo.org/928134
Jeff