Security Breach in XZ Project and Listener Interaction on Linux Desktop Setups

We're breaking down the attack: how it works, how it was hidden, and why time was running out for the attacker.

Sponsored By:

• Tailscale: Tailscale is a programmable networking software that is private and secure by default - get it free on up to 100 devices!
• Kolide: Kolide is a device trust solution for companies with Okta, and they ensure that if a device isn't trusted and secure, it can't log into your cloud apps.

Support LINUX Unplugged

Links:

• 💥 Gets Sats Quick and Easy with Strike
• 📻 LINUX Unplugged on Fountain.FM
• oss-security mailing list — Backdoor in upstream xz/liblzma leading to ssh server compromise.
• Fedora Announcement
• Debian Announcement
• Ubuntu Announcement
• Kali Linux Announcement
• Arch Linux Announcement
• Gentoo Announcement
• openSUSE Tumbleweeed Announcement
• NixOS Unstable Discussion
• Why does it take two weeks for NixOS to replace xz?
• Andres Freund on Mastodon — I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc....
• rwmj on Hacker News — Very annoying - the apparent author of the backdoor was in communication with me over several weeks trying to get xz 5.6.x added to Fedora 40 & 41 because of its "great new features"
• A Microcosm of the interactions in Open Source projects — Make no mistake. This is the way it works. It needs to change.
• Devuan GNU/Linux on X — Devuan is not affected by the latest vulnerability caused by systemd.
• systemd PR: Dynamically load compression libraries
• Matteo Croce on X — I'm the author of such PR. While I absolutely didn't know that libxz had a backdoor, I really think that libraries should be loaded on-demand when rarely used, hence my change :)
• Ryan C. Gordon on X — This is probably how the xz thing happened, right?
• Jan Wildeboer on the Fediverse — Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO.
• Unplugged Core Membership
• TXLF is coming up! — April 12 - 13 in Austin, Texas.
• LFNW coming up! — April 26 - 28
• Mobile Game Ads Are Boosting Podcast Follower Counts — Wondery, iHeart and Lemonada Media are all using a non-public product from MowPod - which gives extra lives and game credits to gamers if they follow shows on Apple Podcasts from game apps.
• MowPod's podcast promotion tools: tales from the bar
• fortydeux's NixOS Configs
• Prism Launcher — An Open Source Minecraft launcher with the ability to manage multiple instances, accounts and mods.
• World Backup Day — March 31st — One small accident or failure could destroy all the important stuff you care about.
• Updating Our Fiddly Bits | LINUX Unplugged 494