Why Nostr? What is Njump?
2024-03-30 18:11:04

Dr. Hax on Nostr: The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 ...

The xz package was backdoored, and the payload appears to be targeting SSH on x86_64 Fedora and Debian.

What you need to know:
- The backdoored version did not make it into any stable distros
- It was caught about a month after it was introduced
- It did make it into some bleeding edge distros (e.g. Debian's unstable branch: sid)
- It only affected the binary releases, so if you build from source, you were safe from this one
- It was only caught because the backdoor caused some tests to take a half second longer, someone noticed this and decided to investigate why

Get the technical details directly from the person who discovered it: https://www.openwall.com/lists/oss-security/2024/03/29/4
Author Public Key
npub16v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gs8meqha