.png)
Several Linux distributions are raising the alarm about a critical vulnerability discovered in the widely-used compression tool xz and its associated libraries. Versions 5.6.0 and 5.6.1 have been found to contain a backdoor that could potentially allow attackers to infiltrate systems. Fedora, Debian, SUSE, and other distributions are cautioning users against using the latest versions of these distros.
A significant vulnerability was recently unearthed in the upstream source code of xz, a commonly used compression tool in many Linux distributions. The affected versions, 5.6.0 and 5.6.1, contain an .m4 file with instructions for creating an automake that should not be present in the original repository. These instructions are utilized when creating the package liblzma, which is utilized by various tools including SSDs, posing a potential threat of a supply chain attack. The vulnerability, identified as CVE-2024-3094, has been acknowledged by Red Hat.
Red Hat has issued a security alert advising Fedora Rawhide users to immediately cease using the affected installations. While Fedora 40 installations are not vulnerable, users are urged to downgrade to a safe version of xz such as 5.4 or lower. Red Hat has released an update in Rawhide to address this issue.
OpenSUSE has also alerted users about the vulnerability. The bug was identified by Andres Freund, who noticed unusual SSH login delays on Debian, indicating a potential security breach. Debian has also issued a warning about the bug, although stable versions of the distribution do not seem to be affected.
The vulnerability first appeared in xz version 5.5.1alpha-0.1 and persists until 5.6.1.-1. To mitigate the risk, the xz package has been reverted to the safe version 5.4.5. Users of Debian, Fedora, SUSE, and other affected Linux distributions are advised to update their xz or xz-utils packages to eliminate the threat posed by the vulnerable versions.
English (US)