According to a Discourse post, the beta for Ubuntu 24.04 (codename: Noble Numbat) , which was due to be released tomorrow has been delayed and now we should expect it on April 11. The reason for the delay is said to be CVE-2024-3094 — otherwise known as the XZ compression tools, which were compromised with malicious code.
This delay also leads to speculation that the upcoming 24.04 launch — slated for April 25 — could possibly be delayed.
In the Discourse post, Łukasz 'sil2100' Zemczak announced that Canonical, the company behind Ubuntu, has "made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 code was committed to xz-utils (February 26th), on newly provisioned build environments."
This means that any binaries built for the latest Ubuntu release will not be impacted by the recent threat introduced via xz-utils.
The threat, which also triggered Red Hat to release an urgent security alert, sees malicious code being introduced to versions 5.6.0 and 5.6.1 of xz-utils. This code appears to introduce a backdoor into systems. According to an Openwall mailing list post by Andres Freund:
"After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored."
The xz-utils package is used to compress files / directories using the XZ compression format, commonly used on Linux and Unix machines. At the time of writing, Ubuntu 24.04 (Noble Numbat) is using version 5.6.1 of xz-utils, which was one of the two affected versions. By rebuilding the packages with known good code build environments, Canonical claims that it "provides us with confidence that no binary in our builds could have been affected by this emerging threat."
The impact on the beta is that we will now have to wait an extra week before we can get a hands-on with something approaching the final release (there is generally a release just before launch, which is considered a release candidate). Of course there are daily builds that we can try out, but we can't guarantee they are free of the malicious code.
Does this mean the April 25 release date will be pushed back? Ex-Canonical employee and well known Linux podcaster Alan "Popey" Pope ran a poll on Mastodon asking if Ubuntu 24.04 might be delayed. At the time of writing, 58% believe that it will be released on time, while 42% fear that it may be delayed.
The last time that an Ubuntu release was delayed was back in 2006: Ubuntu 6.06 "Dapper Drake" was delayed by two months to give the team more time to implement extra features for what was to become a pivotal Linux distro. Ubuntu 6.06 saw the merging of a live and install CD, along with a graphical installer and a means to install the OS to a USB drive.
Are other Linux distros affected?
According to a list compiled by helpnetsecurity.com, it is a bit of a mixed bag:
- Ubuntu 24.04 has been impacted, but previous releases are not.
- Red Hat, Fedora Rawhide (current Fedora Linux development build) and Fedora 40 are affected. No Red Hat Enterprise Linux (RHEL) versions are impacted.
- Debian, no stable releases are impacted, but users who use packages from the Debian testing, unstable and experimental repositories are urged to update the xz-utils package.
- Kali Linux users who updated their systems between March 26 and 29 are impacted.
- Some Arch Linux installation media, containers and virtual machines are impacted.
- Linux Mint, Gentoo Linux, Alpine Linux and Amazon Linux are not affected.
We did check our Raspberry Pi 5 running the latest Raspberry Pi OS (Kernel 6.6.20 from March 7 2024), and checking the version number for xz returned version 5.4.1. So, all appears well for our favorite single board computer.
