The Beta release of Ubuntu 24.04, Noble Numbat, has been pushed to April 11, 2024, one week after the previous date (April 4, 2024)!
It’s because an attack publicly disclosed on March 29, 2024.
An attacker using the name “Jia Tan” installed a backdoor into liblzma
library. It’s a part of xz, which happens to be a dependency of OpenSSH in Debian, Ubuntu, Fedora, etc. The backdoor sends hidden commands at the start of an SSH session, allowing the attacker to run an arbitrary command on the target system without logging in.
Russ Cox, Google’s Golang developer, post a page talking about timeline of the xz open source attack. According to the post, “Jia Tan”, the attacker, started contributing to xz since October 2021, and became a maintainer since the second half of 2022.
Attack began on 2024-02-23, and Debian Unstable, Ubuntu 24.04 (Dev), Fedora 40 Beta and Fedora Rawhide have been affected.
Continue Reading…