Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

[uk666]

Urgent: Secret Backdoor Found, Impacts Major Linux Distros

Updates essential for Debian sid, Fedora 40, Fedora Rawhide, openSUSE Tumbleweed, and openSUSE MicroOS

A backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. 

Only a few distributions have shipped the 5.6.x series of xz packages. But if you're on an affected system, look for an update right away.

Microsoft employee Andres Freund has shared finding odd symptoms in the xz package on Debian installations. Freund noticed that ssh login was requiring a lot of CPU and decided to investigate leading to the discovery.

The vulnerability has received the maximum-security ratings with a CVS score of 10 and a Red Hat Product Security critical impact rating.

Out of an abundance of caution, Fedora Linux 40 users have been recommended to downgrade to a 5.4 build. Some of the other Linux distributions impacted by the supply chain attack are below:

1. Arch Linux (installation medium 2024.03.01, virtual machine images 20240301.218094 and 20240315.221711, and container images created between and including 2024-02-24 and 2024-03-28)
2. Kali Linux (between March 26 and 29)
3. openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
4. Debian testing, unstable, and experimental versions (from 5.5.1alpha-0.1 to 5.6.1-1)

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert of its own, urging users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable).