Late Night Linux

Late Night Linux – Episode 276

Apr 7, 2024

A backdoor in xz-utils causing SSH server compromises, community efforts to address the issue, delays in software releases, and upcoming Linux events in the UK. OggCamp details shared by Gary. Vulnerabilities in open source projects, security measures, and challenges in project management discussed.

29:07

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The discovery of the XZ Utils backdoor showcases the importance of community-driven security efforts in open-source projects.

The incident underscores the significance of transparency and thorough scrutiny in identifying and addressing vulnerabilities in software development.

Deep dives

XZ Utils Backdoor Discovery

A backdoor in XZ Utils was uncovered by a Microsoft employee named Andreas Find during his free time. The sophisticated backdoor, introduced by someone using the alias G.A. Tan, was carefully integrated into XZ Utils over time, granting SSH access with a specific private key. This backdoor made its way into various distributions like Debian, Fedora, and almost into Ubuntu 24.04, leading to a delay in the Ubuntu 24.04 beta release.

Introduction

4min

Uncovering Vulnerabilities in Open Source Projects

6min

Navigating Project Management and Supply Chain Dynamics in Open Source Development

2min

Ensuring Security in Open Source Projects

11min

Challenges and Uncertainty in Test Corpus Usage

3min

Event Organization and Updates

4min

There’s only one news story this week and it’s a big one. A backdoor has been found in xz-utils, and there’s a lot to discuss about it. Plus details of a couple of Linux events in the UK later this year.

Support us on Patreon and get an ad-free RSS feed with early episodes sometimes

News

Hybrid Cloud Show is a new show that’s part of the Late Night Linux Family!

Subscribe to the All Episodes feed

How one volunteer stopped a backdoor from exposing Linux systems worldwide

backdoor in upstream xz/liblzma leading to ssh server compromise

Everything I know about the XZ backdoor

research!rsc: Timeline of the xz open source attack

XZ threat actor Jia Tan’s change to libarchive which introduced an exploitable situation made it into Windows

New XZ backdoor scanner detects implant in any Linux binary

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

Noble Numbat Beta delayed (xz/liblzma security update)