[tor-relays] User advisory to check for xz-utils backdoor

pasture_clubbed242 at simplelogin.com pasture_clubbed242 at simplelogin.com
Fri Mar 29 18:39:05 UTC 2024


Greetings,

I do not normally use mailing lists such as this one to inform subscribers of security notices, but this issue is extreme enough where it may benefit the anonymity of Tor users if relay operators are aware of it sooner. 


The near-universally used 'xz' compression library has been found to contain a backdoor in certain code branches. This backdoor has made it into some systems such as Debian Sid. 

Details regarding this backdoor are available here.
https://www.openwall.com/lists/oss-security/2024/03/29/4

It is suspected that if your OpenSSH server links to the xz library, which Debian appears to do so, then this backdoor is remotely exploitable. If your OpenSSH server does not link to this library, then your system still contains many processes that run xz actions as the root user, some input of which may be less than trusted.

For those needing a patch, I recommend you research your distribution's security advisory page for further information. 

References:
Debian Sid Advisory: https://security-tracker.debian.org/tracker/CVE-2024-3094



More information about the tor-relays mailing list