Ubuntu 24.04 Beta Delayed Due to XZ Open Source Attack

The Beta release of Ubuntu 24.04, Noble Numbat, has been pushed to April 11, 2024, one week after the previous date (April 4, 2024)!

It’s because an attack publicly disclosed on March 29, 2024.

An attacker using the name “Jia Tan” installed a backdoor into liblzma library. It’s a part of xz, which happens to be a dependency of OpenSSH in Debian, Ubuntu, Fedora, etc. The backdoor sends hidden commands at the start of an SSH session, allowing the attacker to run an arbitrary command on the target system without logging in.

Russ Cox, Google’s Golang developer, post a page talking about timeline of the xz open source attack. According to the post, “Jia Tan”, the attacker, started contributing to xz since October 2021, and became a maintainer since the second half of 2022.

Attack began on 2024-02-23, and Debian Unstable, Ubuntu 24.04 (Dev), Fedora 40 Beta and Fedora Rawhide have been affected.

Ubuntu 24.04 (Dev) Desktop

Debian Unstable has rolled back from xz-utils 5.6.1 to 5.4.5 (5.6.1+really5.4.5-1) to workaround the issue.

Ubuntu inherited the package from Debian, and decided to re-build all the binary packages for the Ubuntu 24.04 after the CVE-2024-3094 code committed to xz-utils.

“Canonical never stops working to keep Ubuntu at the forefront of safety, security, and reliability. As a result of CVE-2024-3094 53, Canonical made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 53 code was committed to xz-utils (February 26th), on newly provisioned build environments.

And, due to the decision (see in Ubuntu Discourse), Ubuntu 24.04 Beta release is delayed for a week!