XZ backdoor security hack. Current hack!

TITLE: The XZ hack (and what it means to you)

Abstract: The backdoor in xz and liblzma is a serious near miss that thankfully did not make it into most production linux distributions and could have been far worse if it hadn't been caught by a developer noticing his ssh login took an extra half a second.

This hack is an impressive long con by someone who had been given maintainer status in the tool. We will cover how it worked from a high level, how it almost was a far more serious issue than it is, and what it means for the FOSS world. (Also why this issue is causing me to loose sleep over it)

(This was noted in an ArsTechnica article on March 29 (ie ~ 20 days ago.) Same day, stlLUG members were posting it in our DISCUSS email-list. On April 11, there was a ~5min on-air interview with the MS engineer who discovered it, including comments about open-src vs closed-src. This interview was on the general public's NPR radio. The backdoor seems to have been loose in the public since at least Feb 23?)

CVE-2024-3094.

Bio:
Presenter: Andrew Denner is a Senior Scientific Computing Software Developer at Corteva Agriscience and the president of the Central Iowa Linux Users Group. When not computing he enjoys camping in his 1994 Pace Arrow Camper with his wife and 15 month old son.

==============
The monthly mtng of the St. Louis Linux User Group
See [https://www.stllinux.org/](https://www.google.com/url?q=https://www.stllinux.org/&sa=D&source=calendar&usd=2&usg=AOvVaw3Y-AOfHPNKVMZJY5EzlB9e) for current information. The URL link to this meeting is posted earlier in the day of the meeting on the above home page. It is the link called "linked here".

• ONLINE MEETINGS ONLY until further notice.
• ONLINE sessions will use a remote video meeting service.
• HOW TO CONNECT instructions will be on [https://www.stllinux.org/](https://www.google.com/url?q=https://www.stllinux.org/&sa=D&source=calendar&usd=2&usg=AOvVaw3Y-AOfHPNKVMZJY5EzlB9e) web page and our mailing lists. It is the link called "linked here". Note that your browser cache may need to be refreshed each time you check the web page for the instructions.
• We will open the remote session at about 6:00 PM, so that you can join early to test sharing your mic, screen, & video camera.
• The STLLINUX meetings are eight days after the SLUUG General meeting; so, usually on the third or fourth Thursday of each month from 6:30 PM to 9:00 PM.

=====================================
https://stllinux.org/
The url link to this Zoom mtng is posted earlier on the day of the mtng at the above home page. It is the link called "linked here".

ONLINE MEETINGS ONLY until further notice.
ONLINE session will use remote video software.
HOW TO CONNECT instructions on https://stllinux.org/ web page and our mailing lists. Note that your browser cache may need to be refreshed each time you check the above web page for the instructions. We will open the remote session at about 6:00 PM Central Standard Time ( CST ), so that you can join early to test your microphone, screen and video sharing.

The Saint Louis MO, STL Linux Users Group (STLLUG) meets monthly to talk about Linux. This GNU/Linux Users Group usually holds its meetings on the third or fourth Thursday of every month. Meetings are free and open to everyone.

At 6:30 PM CST we start with introductions, announcements, current events of interest, and a general CALL FOR HELP segment. Then we will go into the presentation of our main topic, sometime around 6:45~7:00 PM CST.