Post Syndicated from daroc original https://lwn.net/Articles/967192/
Versions 5.6.0 and 5.6.1 of the
XZ
compression utility and library
were shipped with a backdoor that targeted
OpenSSH.
Andres Freund
discovered the backdoor by
noticing that failed SSH logins were taking a lot of
CPU time while doing some
micro-benchmarking, and tracking down the backdoor from there. It was introduced
by XZ co-maintainer “Jia Tan” — a probable alias for person or persons unknown.
The backdoor is a sophisticated attack with multiple parts, from the build
system, to link time, to run time.