Backdoor in XZ archiver 5.6.0 and 5.6.1 (CVE-2024-3094)

A month after the release of the new version of the XZ 5.6.0 archiver, researchers from Red Hat discovered a backdoor (secret entrance) in it.

Systems that use this code are vulnerable. Since the code is very new, it has so far only appeared in the latest distributions (Red Hat Fedora Linux 40 and Fedora Rawhide, openSUSE Tumbleweed, but not Slowroll and Leap, others). The fix packages are ready. Reboot your system after updating.

The attack looks quite skillful. The backdoor code was well hidden.

National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Message from Red Hat: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Message from openSUSE: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4E6THBX3TMY5H7TBBBMQAQMZ3JX26A7D/

Message from Debian: https://lists.debian.org/debian-security-announce/2024/msg00057.html

Phoronix on backdoor detection: https://www.phoronix.com/news/XZ-CVE-2024-3094

Phoronix on the release of XZ 5.6: https://www.phoronix.com/news/XZ-5.6-Released

GitHub has closed the repository: https://www.phoronix.com/news/GitHub-Disables-XZ-Repo

Repository copy: https://git.tukaani.org/?p=xz.git;a=tree

Event Research (updating): https://boehs.org/node/everything-i-know-about-the-xz-backdoor