{"id":46080,"date":"2024-04-03T14:57:37","date_gmt":"2024-04-03T14:57:37","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=46080"},"modified":"2024-04-03T14:57:37","modified_gmt":"2024-04-03T14:57:37","slug":"ubuntu-24-04-beta-delayed","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2024\/04\/ubuntu-24-04-beta-delayed\/","title":{"rendered":"Ubuntu 24.04 Beta Delayed Due to XZ Open Source Attack"},"content":{"rendered":"<p><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo.webp\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-38307\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo-250x250.webp\" alt=\"\" width=\"250\" height=\"250\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo-250x250.webp 250w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo-300x300.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo-600x600.webp 600w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo-768x768.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2022\/04\/ubuntu2204-logo.webp 1200w\" sizes=\"auto, (max-width: 250px) 100vw, 250px\" \/><\/a><\/p>\n<p><b>The Beta release of Ubuntu 24.04, Noble Numbat, has been pushed to April 11, 2024, one week after the previous date (April 4, 2024)!<\/b><\/p>\n<p>It&#8217;s because an attack <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094\" target=\"_blank\" rel=\"noopener\">publicly disclosed on March 29, 2024<\/a>.<\/p>\n<p>An attacker using the name &#8220;Jia Tan&#8221; installed a backdoor into <code>liblzma<\/code> library. It&#8217;s a part of <a href=\"https:\/\/en.wikipedia.org\/wiki\/XZ_Utils\" target=\"_blank\" rel=\"noopener\"><b>xz<\/b><\/a>, which happens to be a dependency of OpenSSH in Debian, Ubuntu, Fedora, etc. The backdoor sends hidden commands at the start of an SSH session, allowing the attacker to run an arbitrary command on the target system without logging in.<\/p>\n<p>Russ Cox, Google&#8217;s Golang developer, post a page talking about <a href=\"https:\/\/research.swtch.com\/xz-timeline\" target=\"_blank\" rel=\"noopener\">timeline of the xz open source attack<\/a>. According to the post, &#8220;Jia Tan&#8221;, the attacker, started contributing to xz since October 2021, and became a maintainer since the second half of 2022.<\/p>\n<p>Attack began on 2024-02-23, and <b>Debian Unstable<\/b>, <b>Ubuntu 24.04 (Dev)<\/b>, <b>Fedora 40 Beta and Fedora Rawhide<\/b> have been affected.<br \/>\n<!--more--><\/p>\n<div id=\"attachment_46081\" style=\"width: 620px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop.webp\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-46081\" class=\"size-large wp-image-46081\" src=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-700x415.webp\" alt=\"\" width=\"610\" height=\"362\" srcset=\"https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-700x415.webp 700w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-300x178.webp 300w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-768x456.webp 768w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-1536x912.webp 1536w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop-1320x784.webp 1320w, https:\/\/ubuntuhandbook.org\/wp-content\/uploads\/2024\/04\/ubuntu24.04-desktop.webp 1555w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><p id=\"caption-attachment-46081\" class=\"wp-caption-text\">Ubuntu 24.04 (Dev) Desktop<\/p><\/div>\n<p>Debian Unstable has rolled back from xz-utils 5.6.1 to 5.4.5 (5.6.1+really5.4.5-1) to workaround the issue.<\/p>\n<p>Ubuntu inherited the package from Debian, and decided to re-build all the binary packages for the Ubuntu 24.04 after the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094\" target=\"_blank\" rel=\"noopener\">CVE-2024-3094<\/a> code committed to xz-utils.<\/p>\n<blockquote><p><i>&#8220;Canonical never stops working to keep Ubuntu at the forefront of safety, security, and reliability. As a result of CVE-2024-3094 53, Canonical made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 53 code was committed to xz-utils (February 26th), on newly provisioned build environments.<\/i>&#8220;<\/p><\/blockquote>\n<p>And, due to the decision (see in <a href=\"https:\/\/discourse.ubuntu.com\/t\/noble-numbat-beta-delayed-xz-liblzma-security-update\/43827\" target=\"_blank\" rel=\"noopener\">Ubuntu Discourse<\/a>), Ubuntu 24.04 Beta release is delayed for a week!<\/p>","protected":false},"excerpt":{"rendered":"<p>The Beta release of Ubuntu 24.04, Noble Numbat, has been pushed to April 11, 2024, one week after the previous date (April 4, 2024)! It&#8217;s because an attack publicly disclosed on March 29, 2024. An attacker using the name &#8220;Jia Tan&#8221; installed a backdoor into liblzma library. It&#8217;s a part of xz, which happens to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":38307,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[2087],"class_list":["post-46080","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-ubuntu-24-04"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=46080"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/46080\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/38307"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=46080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=46080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=46080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}