xz library supply chain attack comes close to succeeding

Very lucky that this was caught when it was, and didn’t make it further.

Yeah, this one is totally wild.

Question is how many other contributors have been quietly committing compromised code over the years.

Anyway, Qt3 was never vulnerable to this one.

I imagine it will push distributions to no longer use pre-generated source tarballs from upstream. There still will be the problem of catching compromised code that has been merged.

Unless someone is running a bleeding edge version of a community distribution like Fedora rawhide, they almost certainly haven’t been touched by this.

It will be interesting to see if they are ever able to trace this back to whomever is behind that github account.

AIUI it put an ssh backdoor in, so it wouldn’t affect a website or its users, but rather the server.

1 Like

April 1st story? I’ll need to verify it tomorrow.

1 Like

Most definitely not an April 1st story. It became public on March 29th.

1 Like

Yes the website runs over a server which I admin. Only arch was vulnerable in a release version and we don’t run arch.

1 Like

Cool. I think we (the global “we”) got pretty lucky that it was discovered so quickly–it really was a pretty narrow range of versions that were compromised.