TL;DR; if you run a .deb or .rpm disto based server with public ssh, check if you need to update it ASAP
This is one of the craziest things I have seen in a while. Purely by accident, someone stumbled upon a backdoor in the xz compression library that intercepts the calls to certain cryptographic calls done by other applications or libraries linked to it. The way they obfuscated it into the build process as a unit test is pretty cunning. Looks like it's a 'Remote Code Execute' rather than auth bypass, but the worry is if other things like this have been missed before.
FAQ: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Original Details: https://www.openwall.com/lists/oss-security/2024/03/29/4
This is one of the craziest things I have seen in a while. Purely by accident, someone stumbled upon a backdoor in the xz compression library that intercepts the calls to certain cryptographic calls done by other applications or libraries linked to it. The way they obfuscated it into the build process as a unit test is pretty cunning. Looks like it's a 'Remote Code Execute' rather than auth bypass, but the worry is if other things like this have been missed before.
FAQ: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Original Details: https://www.openwall.com/lists/oss-security/2024/03/29/4
Last edited: