This is the original email by the person who discovered this backdoor. But if you want you can search for xz backdoor and you’ll find a lot more articles which explain timelines and other things.
https://www.openwall.com/lists/oss-security/2024/03/29/4
== Observing Impact on openssh server ==With the backdoored liblzma installed, logins via ssh become a lot slower.
time ssh nonexistant@...alhost
before:
nonexistant@...alhost: Permission denied (publickey).
before:
real0m0.299s
user0m0.202s
sys 0m0.006s
after:
nonexistant@...alhost: Permission denied (publickey).
real0m0.807s
user0m0.202s
sys 0m0.006s
This is the original email by the person who discovered this backdoor. But if you want you can search for xz backdoor and you’ll find a lot more articles which explain timelines and other things. https://www.openwall.com/lists/oss-security/2024/03/29/4
== Observing Impact on openssh server == With the backdoored liblzma installed, logins via ssh become a lot slower. time ssh nonexistant@...alhost before: nonexistant@...alhost: Permission denied (publickey). before: real 0m0.299s user 0m0.202s sys 0m0.006s after: nonexistant@...alhost: Permission denied (publickey). real 0m0.807s user 0m0.202s sys 0m0.006sThat’s a 500ms or 0.5s difference