Headlines |
2024-03-29 |
Compression library for xz compromised upstream |
|
Andres Freund has reported the upstream xz repository has been compromised with a backdoor which can affect software which relies on the liblzma software library. This compromised can, in turn, affect secure shell logins on distributions which run systemd. "After observing a few odd symptoms around liblzma (part of the xz package) on Debian Sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of Debian's package, but it turns out to be upstream."
Freund's mailing list post goes on to explain how the backdoor was found and why it affects OpenSSH sessions on Debian and related distributions, even though OpenSSH does not rely on lzma. "OpenSSH does not directly use liblzma. However Debian and several other distributions patch OpenSSH to support systemd notification, and libsystemd does depend on lzma. Initially starting sshd outside of systemd did not show the slowdown, despite the backdoor briefly getting invoked. This appears to be part of some countermeasures to make analysis harder." |
More headlines from this project
Back to News
|
|
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|