Well this is fucking lovely....

Malicious code was discovered in the upstream tarballs of "xz" which then affects liblzma

Downstream there may be backdoors in various implementations of "sshd".

Versions Affected:

• Fedora 41
• Fedora Rawhide
• openSUSE Tumbleweed
• Debian testing, unstable, experimental distributions
• Kali updates between March 26th and March 29th

Original notice here:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Red Hat CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Red Hat Security Blog Post: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Arch Linux Security Post: https://archlinux.org/news/the-xz-package-has-been-backdoored/

Debian Security Post: https://lists.debian.org/debian-security-announce/2024/msg00057.html

openSUSE Security Post: https://news.opensuse.org/2024/03/29/xz-backdoor/

Kali Linux announcement: https://infosec.exchange/@kalilinux/112180505434870941

CISA Advisory: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Article here: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

#infosec #linux #foss #hacking #cve20243094 #cve