Hi all,
This topic is all over the internet at that point, and I doubt most operators here
would be affected, but it is worth a heads-up for people who do not stay on to
of the news:
The current maintainer (and also for the past two years) of xz-utils, which is
included in about every linux distribution in existence, has been backdooring
the release tarball of the package since at least February 2024 and the 5.6.0 release.
The backdoor is specifically targeted at debian and rpm-based systems, which
one known effect providing a remote unauthorized access to the SSH server
(due to those distributions patching sshd to link to systemd which itself uses
liblzma from xz-utils).
The version is recent, and only included in debian sid/testing as well as
Fedora 40/41, which have since yesterday published new packages removing
the backdoor. Other distributions like Gentoo or Archlinux and derivatives were
also including the vulnerable versions, though it seems like no backdoored code
was built in there (the exploit was targeted during the build, and neither distribution
used a process that would include it).
The investigation is ongoing, but here [1] is the link to the oss-security mail which
was the first publication on that topic, and here [2] is a more detailed writeup of
the events.
Stay safe,
Mathieu
[1] https://www.openwall.com/lists/oss-security/2024/03/29/4
[2] https://boehs.org/node/everything-i-know-about-the-xz-backdoor
