Backdoor in XZ archiver 5.6.0 and 5.6.1 (CVE-2024-3094)
A month after the release of the new version of the XZ 5.6.0 archiver, researchers from Red Hat discovered a backdoor (secret entrance) in it.
Systems that use this code are vulnerable. Since the code is very new, it has so far only appeared in the latest distributions (Red Hat Fedora Linux 40 and Fedora Rawhide, openSUSE Tumbleweed, but not Slowroll and Leap, others). The fix packages are ready. Reboot your system after updating.
The attack looks quite skillful. The backdoor code was well hidden.
National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
Message from Red Hat: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Message from openSUSE: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4E6THBX3TMY5H7TBBBMQAQMZ3JX26A7D/
Message from Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html
Phoronix on backdoor detection: https://www.phoronix.com/news/XZ-CVE-2024-3094
Phoronix on the release of XZ 5.6: https://www.phoronix.com/news/XZ-5.6-Released
GitHub has closed the repository: https://www.phoronix.com/news/GitHub-Disables-XZ-Repo
Repository copy: https://git.tukaani.org/?p=xz.git;a=tree
Event Research (updating): https://boehs.org/node/everything-i-know-about-the-xz-backdoor
More links:
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://lwn.net/Articles/967180/
https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html