The backdoor in xz and liblzma is a serious near miss that thankfully did not make it into most production Linux distributions and could have been far worse if it hadn't been caught by a developer noticing his ssh login took an extra half a second. This hack is an impressive long con by someone who had been given maintainer status in the tool. We will cover how it worked from a high level, how it almost was a far more serious issue than it is, and what it means for the FOSS world. ( Also why this issue is causing me to loose sleep over it. )
(This was noted in an ArsTechnica article on March 29 (ie ~ 20 days ago.) Same day, stlLUG members were posting it in our DISCUSS email-list. On April 11, there was a ~5min on-air interview with the MicroSoft engineer who discovered it, including comments about open-src vs closed-src. This interview was on the general public's NPR radio. The backdoor seems to have been loose in the public since at least Feb 2023?) CVE-2024-3094
Andrew Denner is a Senior Scientific Computing Software Developer at Corteva Agriscience and the president of the Central Iowa Linux Users Group. When not computing he enjoys camping in his 1994 Pace Arrow Camper with his wife and 15 month old son.
This Saint Louis MO, STL Linux Users Group (STLLUG) meets monthly to learn and talk about Linux. To avoid back-to-back meetings, this GNU/Linux Users Group usually holds its meetings ( eight days after ) on the second Thursday after the monthly meeting of the Saint Louis Unix Users Group (SLUUG). Eight days after would either be the third Thursday or the fourth Thursday of each month.
These meetings are free, public and open to all.
We begin gathering about 6:00PM to test microphones, screen sharing and webcams. At 6:30PM we start with introductions, announcements, current events of interest, and a general CALL-FOR-HELP segment. Then we will go into the presentation of our main topic, sometime after or around 6:45PM.
STLLUG is loosely affiliated with the St. Louis Unix Users Group (SLUUG), as one of its Special Interest Groups (SIG). Under SLUUG care, web page support is provided. Individual membership dues, fees or other charges are NOT required. These meetings are free, public and open to all.
Contact us if you have a presentation you would like to have considered for selection.
This site hosted by the Saint Louis Unix Users Group