Red Hat he announced on Friday that a backdoor has been discovered in the widely used xz data compression software library and may affect Fedora Linux 40 distributions and the Fedora Rawhide developer distribution.
The company said the malicious code provides remote backdoor access via OpenSSH and systemd, and is present in xz versions 5.6.0 and 5.6.1. The vulnerability has the identifier CVE-2024-3094 and is rated 10 out of 10 in CVSS severity.
Users of other Linux OS distributions should check to see what version of the xz suite they have installed. The infected versions, 5.6.0 and 5.6.1, were released on February 24 and March 9, respectively, and may not have been integrated into many distributions.
It should be mentioned that LTS distributions do not seem to be at risk as they use an older version of xz. But if you are running a testing version of Debian, or some other rolling release, it would be good to check the version of xz.
Debian Unstable and Kali Linux are already reported to be affected, as is Fedora. So if you use any of these distributions you should replace any backdoored builds of xz.
Red Hat Enterprise Linux (RHEL) and Debian stable OS are not affected.