==SSH backdoor in upstream xz/liblzma release tarballs!==https://www.openwall.com/lists/oss-security/2024/03/29/4After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with s

Name
Email
Subject
Comment
File
Embed
Password	(For file deletion.)

File: 1711849975120.png (76.85 KB, 768x1022, 216cdd3660adb5d04fcc712c86….png)

anon Mar 31 2024 (Sun) 1:52:55 No.1288

SSH backdoor in upstream xz/liblzma release tarballs!
https://www.openwall.com/lists/oss-security/2024/03/29/4

After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream.

anon Mar 31 2024 (Sun) 2:13:23 No.1289

>>1288
site has been updated

anon Mar 31 2024 (Sun) 4:28:25 No.1290

>>1288
(x) that you are actually Mr. Freund

but the security vulnerability is real. its important to note that the specific repository affected for the ssh backdoor is actually UPSTREAM from the ssh package itself. The affected package is 5.6.0+ of https://packages.debian.org/sid/liblzma5 for debian, or xz-utils on ubuntu https://packages.ubuntu.com/search?keywords=xz-utils

The actual repository is currently private but is called xz. Details on the specifics of the backdoor are given at the provided link in OP. Make sure that the package is *downgraded* to a version prior to 5.6.0 or otherwise removed from the system.