[LUG]Re: Backdoor found in key library liblzma (xz-utils)

[LUG]Re: Backdoor found in key library liblzma (xz-utils) - CVE-2024-3094

To: list@xxxxxxxxxxxxx

Subject: [LUG]Re: Backdoor found in key library liblzma (xz-utils) - CVE-2024-3094

From: Tim Dobson <lists@xxxxxxxxxxx>

Date: Sat, 30 Mar 2024 03:05:25 +0000

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1697101561; h=Content-Type:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Help:List-Id:Subject:Reply-To:To:Message-ID:Date: From:In-Reply-To:References:MIME-Version:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Archive; bh=5WwI2msM6UtyTNF/srd0sHIJRWR7VezvH2h+PVM15pY=; b=hWZjjHYxp2y7POb+tazZWFY0di VL58I/BDwxRoCZM2VlHc7wj7YmS88dtP2+I0tam6fAhdBOd69a2oHd8pWnchrtbLD0KhEJ2gv9KlB 1tPhmvPEHbRszpbpILoSA/LEPOavbqT0pru/aLu6ynJ07Ld0PJdzYBqShq8ZJAXeL014=;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tdobson.net; s=google; t=1711767962; x=1712372762; darn=dcglug.org.uk; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=yPuLosTgI7yxNwFRnpXUt/1XN8sUcDPTUReUXxR8d4E=; b=X1HmzTNdGMKPgS3nk/AhXWFB6B2wEAf9z4SsyRCAJ/puX2u1F4HagpN8qFnr+uquy+ yxz4aR5MI0wBjhfTvAfoVZsTIFgl2M3xyamE1VcFbc334nJY478Pk+NPWH5sNqq30cFk TV47kLTFA78z5RxaEvuwrmqoHIOmofgHshOR04PCRV/3fYTVQFF6bj+Opw7N7yJSJkhN RYJSKCOhxzcHDga7gQjNVyFRK+R/wUfzycwgqL3d8HyFOnylflW3/LkLkxS7FHVHWe0p il8Us12KVTeItcMprRRdjgDZQhsSWxQ+xYnmJoRErXIYnfGMRyjjcaAHmzzlRc3hTRbj EpXA==

On Fri, 29 Mar 2024 at 23:00, Simon Waters <simon@xxxxxxxxxxxxxx> wrote:

Debian bug to possibly revert (it appears Debian Sid and Testing may be
affected). Not sure this adds much light, but the people who found it do
suspect one of the (two) XZ maintainers of being involved.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

and people give me abuse for running Stable!

Such an intriguing story, and I feel like we'll never know all the answers... but the human aspect of this is really captivating.

I hope the original maintainer gets some support from friends and the general open source community. It defo sounds like they've had a bad time, and this will be worse.

-- The Mailing List for the Devon & Cornwall LUG FAQ: https://www.dcglug.org.uk/faq/