If you’re using xz
version 5.6.0 or 5.6.1, please upgrade asap, especially if you’re using a rolling-release distro like Arch or its derivatives. Arch has rolled out the patched version a few hours ago.
Backdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won’t change anything for Arch users today.
when building RPM or DEB.
Which ones? Everything I run seems to be clear.
https://access.redhat.com/security/cve/CVE-2024-3094
Products / Services | Components | State |
---|---|---|
Enterprise Linux 6 | xz | Not affected |
Enterprise Linux 7 | xz | Not affected |
Enterprise Linux 8 | xz | Not affected |
Enterprise Linux 9 | xz | Not affected |
(and thus all the bug-for-bug clones)
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.