Welcome to JuliaHub's Trust and Security Portal. Our commitment to data privacy and security is embedded in every part of our business. Use this portal to learn about our security posture and request access to our security documentation.
We are currently working to make our company policies available. Please contact us for more details.
Summary
A backdoor was identified in the popular XZ data compression library. We do not believe any JuliaHub infrastructure or any Julia users are affected by this issue.
Background
A thread in oss-security mailing list reported that the XZ Utils project was affected by a backdoor: one of the current maintainers of the project appeared to have injected malicious code, included in versions v5.6.0 and v5.6.1 of the xz-utils package, that under certain circumstances could potentially compromise an OpenSSH client and obtain login credentials to remote systems. This issue has been assigned CVE-2024-3094.
Details
The open source Julia ecosystem
The backdoor is added to a binary build of XZ under the following conditions:
- The target system is x86_64-linux-gnu (Linux kernel, on x86_64 architecture, using glibc as standard C library)
- the compiler is GCC
- the build system detects dpkg or rpm are being used
Julia packages use binary builds of native C libraries that are created using our own infrastructure, which are distributed as so-called jll
packages. This build system does not meet condition 3 above, and therefore we believe Julia users who have installed XZ using the Julia package manager are not vulnerable to this backdoor. The announcement of the security exploit in the oss-security mailing list includes a script to detect whether a build of liblzma is vulnerable, by checking a certain pattern is present in the hexadecimal dump of the library. We have verified our builds of liblzma.so
in XZ_jll
v5.6.0
and v5.6.1
do not contain the known pattern. Please talk to your JuliaHub support contact if you want to run this analysis yourself.
In the abundance of caution however, the XZ_jll
package versions 5.6.0
and 5.6.1
have been removed from the Julia package registry. They can no longer be installed – users are able to install only versions up to 5.4.6
.
The Juliahub Platform
All JuliaHub platform servers and container images are derived from Debian stable. The vulnerable packages were only added to Debian unstable, and therefore did not make it into any of our builds or images.
JuliaHub enterprise customers should talk to their support contacts if they need any assistance in extracting the list of users who have installed XZ versions v5.6.0 and v5.6.1 from the logs. Again, this is only for an abundance of caution, as we do not believe those users are vulnerable.
Acknowledgements
- The original announcement by Andres Freund: https://www.openwall.com/lists/oss-security/2024/03/29/4
- The Julia ecosystem bulletin by Mosè Giordano: https://discourse.julialang.org/t/psa-backdoor-in-xz-utils-and-relevance-for-the-julia-ecosystem/112328
If you think you may have discovered a vulnerability, please send us a note.