Unfolding now: https://news.ycombinator.com/item?id=39865810
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2
The timeline on this is going to take so long to unravel