Nathan
SF VIP
- Location
- High Desert- Calif.
Canonical has announced it is delaying the beta release of Ubuntu 24.04 in the wake of the XZ backdoor that stunned the Linux community last week.
Microsoft engineer Andres Freund discovered that XZ Utils, a popular compression library used by nearly every major Linux distro, was compromised with a malicious backdoor. Rather than being a brute-force attack, initial investigation revealed that the backdoor had been inserted by one of the project’s legitimate maintainers.
In what can only be described as a years-long concerted effort, the bad actor bullied the project’s original maintainer into handing over co-maintainer rights before proceeding to carefully insert the backdoor code, pressure distro maintainers into adopting the compromised version, and taking effort to hide their real motives.
Fortunately, Freund discovered the backdoor before the compromised version made its way into any stable distro, such as Ubuntu, Fedora, or Debian. Nonetheless, development builds of Ubuntu and Fedora were compromised.
Linux XZ Utils Supply Chain Attack—What You Should Know
Microsoft engineer Andres Freund discovered that XZ Utils, a popular compression library used by nearly every major Linux distro, was compromised with a malicious backdoor. Rather than being a brute-force attack, initial investigation revealed that the backdoor had been inserted by one of the project’s legitimate maintainers.
In what can only be described as a years-long concerted effort, the bad actor bullied the project’s original maintainer into handing over co-maintainer rights before proceeding to carefully insert the backdoor code, pressure distro maintainers into adopting the compromised version, and taking effort to hide their real motives.
Fortunately, Freund discovered the backdoor before the compromised version made its way into any stable distro, such as Ubuntu, Fedora, or Debian. Nonetheless, development builds of Ubuntu and Fedora were compromised.
Linux XZ Utils Supply Chain Attack—What You Should Know
