This is the best post I’ve read about it so far: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
And you know what? Doing updates once a week saved me from updating to this version :)
If you’re using xz
version 5.6.0 or 5.6.1, please upgrade asap, especially if you’re using a rolling-release distro like Arch or its derivatives. Arch has rolled out the patched version a few hours ago.
Backdoor only gets inserted when building RPM or DEB. So while updating frequently is a good idea, it won’t change anything for Arch users today.
when building RPM or DEB.
Which ones? Everything I run seems to be clear.
https://access.redhat.com/security/cve/CVE-2024-3094
Products / Services | Components | State |
---|---|---|
Enterprise Linux 6 | xz | Not affected |
Enterprise Linux 7 | xz | Not affected |
Enterprise Linux 8 | xz | Not affected |
Enterprise Linux 9 | xz | Not affected |
(and thus all the bug-for-bug clones)
I think that was a precaution. The malicious build script ran during the build, but the backdoor itself was most likely not included in the resuling package as it checked for specific packaging systems.
They noticed that some ssh sessions took 0.5 seconds too long under certain circumstances. 😲
Holy hell that’s good QA.
Damn, it is actually scary that they managed to pull this off. The backdoor came from the second-largest contributor to xz too, not some random drive-by.
They’ve been contributing to xz for two years, and commited various “test” binary files.