Backdoor man is still alive.

Alain De Vos · Mar 29, 2024

oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

gpw928 · Mar 29, 2024

You need to have xz at 5.6.1. FreeBSD 13.3 and 14.0 aren't impacted.

Though it looks malicious from a maintainer who has been around for a couple of years doing things...

Edit: I just found this older this older post.

dbdemon · Mar 29, 2024

I wonder what the OSS community will do about the person who was apparently deliberately injecting this vulnerable code.

Is there any precedence for taking such bad actors to court?

PMc · Mar 30, 2024

dbdemon said:
I wonder what the OSS community will do about the person who was apparently deliberately injecting this vulnerable code.

Is there any precedence for taking such bad actors to court?

Why would one?
Licenses explicitely exclude any expressed or implied warranty of fitness for a particular purpose, and any liability.
I conclude that it is perfectly okay to provide backdoors. I remember times when any FreeBSD developer had their backdoor in the code - and it was a good life back then, because the greedy money-makers weren't there yet, and one knew each other.

scottro · Mar 30, 2024

There's already another thread on this with some useful links.

Backdoor in upstream xz/liblzma leading to SSH server compromise

https://news.ycombinator.com/item?id=39865810 https://www.openwall.com/lists/oss-security/2024/03/29/4 quite interesting

forums.freebsd.org

Cath O'Deray · Mar 30, 2024

scottro said:
another thread

Thanks, gpw928 provided the link in comment 2.

Backdoor man is still alive.

Alain De Vos

gpw928

dbdemon

PMc

scottro

Backdoor in upstream xz/liblzma leading to SSH server compromise

Cath O'Deray