Understanding Red Hat's response to the XZ security incident
Red Hat News, Tuesday, April 30th, 2024
March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system.
How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.
Discovery
On Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a new XZ library that was shipped by Debian.