The Linux community was deeply unsettled following the revelation of a backdoor in the XZ tarballs, sparking a series of consequential events. These included even a proposal for changes to systemd, which, though indirectly, were pivotal in successfully exploiting the vulnerability.
In the wake of this turmoil, Debian had already postponed the launch of its Bookworm series 12.6 update. Now, Ubuntu has similarly responded by taking its own measures.
In a recent announcement from Canonical, users learned of a slight hiccup in their eagerly awaited release schedule. The Beta version of Ubuntu 24.04 LTS, codenamed “Noble Numbat,” will now be launched on April 11, 2024, a week later than the initially planned date of April 4, 2024.
This delay is attributed to Canonical’s proactive response to CVE-2024-3094, a vulnerability within the xz-utils package that explicitly affects the liblzma library.
This security flaw prompted Canonical to thoroughly review and rebuild all binary packages initially prepared for Noble Numbat after February 26, when the affected code was added to xz-utils. An action that just a few days ago was also taken by openSUSE for their Tumbleweed release for the same reasons.
The rebuild is being conducted in newly provisioned build environments to ensure the software’s utmost security and integrity. By delaying the Beta release for a comprehensive rebuild, Canonical aims to guarantee that this vulnerability will not compromise any of its binaries.
It’s important to emphasize that the delay of the Beta release won’t impact the launch date for the final stable version of Ubuntu 24.04 (Noble Numbat), which is still set for April 25.
For more information, refer to Canonical’s official announcement on Discourse.
