[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
This is currently being heavily investigated so comments are provisional. Looks like the tarballs of the "xz" utility were backdoored in at least versions 5.6.0 and 5.6.1 (goes back at least a month, possibly two). At this point it is unclear to me the scope of the security impact of this. It was found by people looking at Debian Sid resource consumption for ssh, and Redhat have a security advisory telling them to stop using systems using Fedora Rawhide. https://access.redhat.com/security/cve/CVE-2024-3094 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Debian bug to possibly revert (it appears Debian Sid and Testing may be affected). Not sure this adds much light, but the people who found it do suspect one of the (two) XZ maintainers of being involved. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Post noting Debian testing and sid users can upgrade 5.5/5.6 versions of xz- utils to get a cleaned package based on 5.4.5 called imaginatively: 5.6.1+really5.4.5-1 https://lists.debian.org/debian-security-announce/2024/msg00057.html Of course fixing a backdoor doesn't mean the system is safe, if it was exploited whilst malicious code was present, but that is why you have a security team right?! Apologies if this spoils anyone's Easter but you probably wanted to know sooner rather than later. Well done to Andres Freund, and Florian Weimar, for finding this before it got out of testing distros (at least for Debian and Redhat). -- The Mailing List for the Devon & Cornwall LUG FAQ: https://www.dcglug.org.uk/faq/