Canonical has announced it is delaying the beta release of Ubuntu 24.04 in the wake of the XZ backdoor that stunned the Linux community last week.
Microsoft engineer Andres Freund discovered that XZ Utils, a popular compression library used by nearly every major Linux distro, was compromised with a malicious backdoor. Rather than being a brute-force attack, initial investigation revealed that the backdoor had been inserted by one of the project’s legitimate maintainers.
In what can only be described as a years-long concerted effort, the bad actor bullied the project’s original maintainer into handing over co-maintainer rights before proceeding to carefully insert the backdoor code, pressure distro maintainers into adopting the compromised version, and taking effort to hide their real motives.
Fortunately, Freund discovered the backdoor before the compromised version made its way into any stable distro, such as Ubuntu, Fedora, or Debian. Nonetheless, development builds of Ubuntu and Fedora were compromised.
As a result the impact, Ubuntu is taking an extra week to rebuild all of its binaries for the upcoming 24.04 Noble Numbat release, according to a post on the company’s site:
Canonical never stops working to keep Ubuntu at the forefront of safety, security, and reliability. As a result of CVE-2024-3094 264, Canonical made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 264 code was committed to xz-utils (February 26th), on newly provisioned build environments. This provides us with confidence that no binary in our builds could have been affected by this emerging threat. As a result of this, the Beta release for Ubuntu 24.04 LTS (Noble Numbat) has been pushed to April 11, 2024 (previously April 4, 2024).
We appreciate your understanding and thank the community members who are collaborating on our collective understanding of this emerging issue.
It’s good to see Canonical take the threat seriously and take whatever steps necessary to protect the security of its users.