Malicious code planted in xz Utils has been circulating for more than a month. //

GolbatsEverywhere
This might have been the worst Linux backdoor in history except that it was caught so soon. An SSH authentication backdoor is surely worse than the Debian weak keys incident and also worse than Heartbleed, the two most notorious Linux security incidents that I can think of. Probably this would have been abused to hack most if not all of the Fortune 500, except Mr. Freund decided to investigate some small performance issue that anybody else would have dismissed as unimportant. We are spared only due to sheer dumb luck. This guy has probably just averted at least billions of dollars worth of damages. Cannot emphasize enough how grateful we should be to him right now. //

dwrd Ars Tribunus Militum
6y
2,020
Subscriptor++
Big oof, after reading the commit messages, I'm going to have to assume they owed some bad people a lot of money, or they had an involuntary sleepover at an undisclosed location with several ill-tempered fellows from the state secret police agency. //

This could have made it into a lot more places had they not been doing benchmarking at just the right time.
Milliseconds. About 500 milliseconds. That's what started him down the rabbit hole. He was bothered by a half-second hiccup in an ssh connection refusal. //

crepuscularbrolly Ars Scholae Palatinae
17y
802
Subscriptor++
Andres Freund's post on OpenWall indicates the backdoor is only injected if:
targeting only x86-64 linux
Building with gcc and the gnu linker
Running as part of a debian or RPM package build
But, better safe than sorry.