Date: Fri, 29 Mar 2024 08:51:26 -0700
From: Andres Freund
To: oss-security@…ts.openwall.com
Subject: backdoor in upstream xz/liblzma leading to ssh server compromise
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian’s package, but it turns out to be upstream.
openwall.com
From: Andres Freund
To: oss-security@…ts.openwall.com
Subject: backdoor in upstream xz/liblzma leading to ssh server compromise
After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.
At first I thought this was a compromise of debian’s package, but it turns out to be upstream.
openwall.com