Backdoor in upstream xz/liblzma leading to SSH server compromise

976

•

Backdoor in upstream xz/liblzma leading to SSH server compromise (www.openwall.com)

Oh, how fun. Just what you want to see on a Friday

Archive: https://archive.today/omFvA HackerNews Archive: https://archive.today/wip/4AV8T

From the post: "After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:

The upstream xz repository and the xz tarballs have been backdoored.

At first I thought this was a compromise of debian's package, but it turns out to be upstream."

Oh, how fun. Just what you want to see on a Friday Archive: https://archive.today/omFvA HackerNews Archive: https://archive.today/wip/4AV8T From the post: "After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer: The upstream xz repository and the xz tarballs have been backdoored. At first I thought this was a compromise of debian's package, but it turns out to be upstream."

(post is archived)