https://jdsalaro.com Jayson Salazar Rodriguez | @jdsalaro | Blog - Posts tagged supply chain 2025-12-26T16:36:53.755422+00:00 ABlog @jdsalaro https://jdsalaro.com/reflection/xz-liblzma-linux-backdoor-foss-pitfalls-strengths/ 🚨 On the XZ Utils Backdoor (CVE-2024-3094): FOSS Delivered on its Pitfalls and Strengths 2024-03-31T00:00:00+00:00 Jayson Salazar Rodriguez <p class="ablog-post-excerpt"><p>The newly discovered backdoor<a class="footnote-reference brackets" href="#openwall" id="id1" role="doc-noteref"><span class="fn-bracket">[</span>1<span class="fn-bracket">]</span></a> in the <code class="docutils literal notranslate"><span class="pre">XZ</span> <span class="pre">Utils</span></code> package<a class="footnote-reference brackets" href="#xzpackage" id="id2" role="doc-noteref"><span class="fn-bracket">[</span>2<span class="fn-bracket">]</span></a> affecting numerous Linux distributions<a class="footnote-reference brackets" href="#arstechnica" id="id3" role="doc-noteref"><span class="fn-bracket">[</span>3<span class="fn-bracket">]</span></a> and assigned <code class="docutils literal notranslate"><span class="pre">CVE-2024-3094</span></code><a class="footnote-reference brackets" href="#cve20243094" id="id4" role="doc-noteref"><span class="fn-bracket">[</span>4<span class="fn-bracket">]</span></a> is being dismissed by some members of the technology and security communities as <em>yet</em> another supply chain attack; relevant only because of how blatant it was and that it affected the Open Source ecosystem but in essence nothing out of the ordinary. Regardless of whether this perspective is gaining traction due to cynicism, as hyperbole for clicks or as a coping mechanism, I <em>vehemently</em> disagree with that stance.</p> <img alt="https://jdsalaro.com/_images/openwall-andres-freund-report.png" src="https://jdsalaro.com/_images/openwall-andres-freund-report.png" /></p> <script type="text/x-thebe-config"> { requestKernel: true, binderOptions: { repo: "binder-examples/jupyter-stacks-datascience", ref: "master", }, codeMirrorConfig: { theme: "abcdef", mode: "python" }, kernelOptions: { name: "python3", path: "./blog/tag" }, predefinedOutput: true } </script> <script>kernelName = 'python3'</script> The newly discovered backdoor1 in the XZ Utils package2 affecting numerous Linux distributions3 and assigned CVE-2024-30944 is being dismissed by some members of the technology and security communities as yet another supply chain attack; relevant only because of how blatant it was and that it affected the Open Source ecosystem but in essence nothing out of the ordinary. Regardless of whether this perspective is gaining traction due to cynicism, as hyperbole for clicks or as a coping mechanism, I vehemently disagree with that stance. 2024-03-31T00:00:00+00:00