3 min Security

Update: Beta release of Ubuntu 24.04 finally hits after more than a week’s delay

Update: Beta release of Ubuntu 24.04 finally hits after more than a week’s delay

Update 15/04/2024 – The new beta version of Ubuntu, version 24.04 nicknamed ‘Noble Numbat,’ has been released after over a week’s delay. This delay was due to the backdoor found in the compression tool xz. The release was supposed to take place on Thursday, April 11, but it took just a day longer.

The new Ubuntu beta is based on the latest Linux kernel 6.8 and includes version 46 of the GNOME gui and a new App Center. This store is specifically for Canonical’s own Snap applications, where users can find and install a wide range of software, albeit only in this format.

Original – Canonical, the maker of Linux distribution Ubuntu, is delaying the beta release of Ubuntu 24.04 LTS by a week because of the discovery of the backdoor in the widely used compression tool xz Utils. The release was supposed to be today but has been pushed back to April 11.

Canonical says it chose to do this to ensure users’ security. Lukasz Zemczak, the company’s Senior Software Engineer and Interim Manager, announced that all beta version binary packages created after the backdoor was committed to xz-utils (February 26) would be removed and rebuilt.

As a result, Canonical can guarantee that the threat will not affect any binary in the builds of Ubuntu 24.04 LTS (codenamed Noble Numbat).

Late last week, it was discovered that the xz compression tool and its associated libraries contained a backdoor. This security vulnerability has been assigned CVSS code CVE-2024-3094. In addition to Ubuntu, Red Hat, the developer of Fedora Linux, also warned about the vulnerability. Red Hat advises users of the experimental Fedora Rawhide version to stop running installations related to this particular version.

Downgrading xz Utils to version 5.4.x

Although the stable Fedora 40 version has not been affected, Red Hat recommends downgrading to a 5.4.x version of xz. The beta version of Fedora 40 did include the compromised version of xz. Users of that version should downgrade their xz Utils package. Other Linux distributions, such as OpenSUSE and Debian, have also warned their users.

The backdoor was discovered during a Microsoft engineer’s review of peculiar SSH performance issues and valgrind crashes. By inserting code during the SSH login process, the backdoor could give a malicious actor unauthorized access to systems.

The perpetrator or group behind the backdoor (known as ‘Jia Tan’) made changes over more than two years. In the process, they pressured Linux distributors to include compromised versions of xz under the guise of ‘added new features’.

Backdoor discovered in time

Ultimately, the compromised 5.6.0 and 5.6.1 versions of xz ended up in only a few Linux distributions. Most of these are development, test, or experimental versions that are not in frequent use. The timely discovery has prevented the malicious backdoor from entering production releases.

News of the backdoor is keeping the cybersecurity community quite busy. Wired published an article about the agent responsible for the backdoor. Researchers suspect that ‘Jia Tan’ is a pseudonym for a state actor with the long-term goal of compromising open-source projects.

Read more: xz backdoor shows how vulnerable open-source is to hackers playing the long game