Backdoor in upstream xz/liblzma leading to SSH ser...

[pja]

This account changed the instructions for reporting security issues in the xz github as their very last commit:

    commit af071ef7702debef4f1d324616a0137a5001c14c (HEAD -> master, origin/master, origin/HEAD)
    Author: Jia Tan <jiat0218@gmail.com>
    Date:   Tue Mar 26 01:50:02 2024 +0800

        Docs: Simplify SECURITY.md.

    diff --git a/.github/SECURITY.md b/.github/SECURITY.md
    index e9b3458a..9ddfe8e9 100644
    --- a/.github/SECURITY.md
    +++ b/.github/SECURITY.md
    @@ -16,13 +16,7 @@ the chance that the exploit will be used before a patch is released.
     You may submit a report by emailing us at
     [xz@tukaani.org](mailto:xz@tukaani.org), or through
     [Security Advisories](https://github.com/tukaani-project/xz/security/advisories/new).
    -While both options are available, we prefer email. In any case, please
    -provide a clear description of the vulnerability including:
    -
    -- Affected versions of XZ Utils
    -- Estimated severity (low, moderate, high, critical)
    -- Steps to recreate the vulnerability
    -- All relevant files (core dumps, build logs, input files, etc.)
    +While both options are available, we prefer email.

     This project is maintained by a team of volunteers on a reasonable-effort
     basis. As such, please give us 90 days to work on a fix before

Seems innocuous, but maybe they were planning further changes.

[bombcar]

> Seems innocuous, but maybe they were planning further changes.

Seems like an attempt to get 90 days of "use" of this vulnerability after discovery. If they only had checked performance before!

[hackernudes]

No, they just removed the bullet points about what to include in a report. The 90 days part was in both versions.

[meragrin_]

Yes. An incomplete report allows for dragging out "fixing" the issue longer.

[bombcar]

True, but the "talk only to me" part was new, I think.

[hughesjj]

They didn't add any content, it was a pure removal commit