The upstream xz repository and the xz tarballs have been backdoored

Well til now I didn’t give much about benchmarking. Times change. Doesn’t seem to be as useless as it seemed before.

I doubt it’s even possible, if those feds want to properly conceal their ip…delay is a must.


I think what all of this shows is that the Linux community needs to be vigilant.



1 Like
  1. Red Hat Security Alert,
  2. CISA Alert,
  3. openSUSE Downgrade von xz,
  4. discussion
  5. backdoor in upstream xz/liblzma leading to ssh server compromise,
  6. CVE-2024-3094 - Redhat Customer Portal,
  7. CVE-2024-3094 PoC Exploration,
  8. Backdoor found in xz package source,
  9. The xz package has been backdoored,
  10. CVE-2024-3094 XZ Backdoor: All you need to know,
  11. YARA rule CVE-2024-3094,
  12. detection script CVE-2024-3094,
  13. CVE-2024-3094 Detector,
  14. openSUSE addresses supply chain attack against xz compression library,

The information age…


Microsoft calls it a feature, not an issue.


This article about Notepad++ smells fishy. Usually you would read about the origin of the package, affected version or dates, mitigations, …

I feel bad for the guy who created “Everything I Know About the XZ Backdoor”. Dig in every single article for some useful info, that has xz word in it.

1 Like

DT had a take on it, too, of course.


i have same opinion as DT .Why first guy is a m$ dev reported that exploitation at the first place?i afraid that is deception of war to accept for m$ for being honest good guy?

1 Like

Maybe, just maybe, the guy actually found something bad and reported it? Even if it is true, why should I worry? Why should have this on my head alongside my own inner demons? I’m extremely sorry, but I would rather be a naive idiot than someone who is constantly thinking about how everybody wants to mess up each other.


He wasn’t acting on official m$ business, he reported it on his own. The fact he works for m$ is pretty irrelevant here, it seems.


It’s my conclusion. I’m not that confident! Only want you all awareness of deception. If I was wrong. I’m okay to be wrong. Never mind.

1 Like

okay,so pls tell me which his social.and his origin.

Someone=me? Constantly? That your conclusion. Okay, that what you think. I won’t argue look like a villain to destroy your unity of your community.

1 Like

This is essentially just sealioning and does not contribute to the discussion in a constructive way.

You are the one with the crackpot theory; if you want people to take your conclusion seriously, then you should be the one presenting compelling evidence.


Look man, I wasn’t attacking you. If you feel attacked, you really shouldn’t feel. Quite frankly, I have had a horrible week and seeing the entire situation happening brought with it some self-doubts of my own beliefs in open source software and its nature. Analyzing the situation to this degree, for me, is very uncomfortable and I don’t think it is helpful for me to do such a thing in the situation I’m in currently. If you want to do so, go ahead. I’m not going to stop you, nor judge you for it. Just please understand that I’ve enough on my plate personally, with my own inner demons and dilemmas regarding this world, my place in it, my behavior here and elsewhere, and other things I don’t think you want to hear.

1 Like