Red Hat he announced on Friday that a backdoor has been discovered in the widely used xz data compression software library and may affect the distributions Fedora Linux 40 and the Fedora Rawhide developer distribution.
Η company ανέφερε είπε ότι ο κακόβουλος κώδικας, παρέχει απομακρυσμένη πρόσβαση σε backdoor μέσω του OpenSSH και του systemd, και υπάρχει στις εκδόσεις του xz 5.6.0 και 5.6.1. Η vulnerability has the identifier CVE-2024-3094 and is rated 10 out of 10 in CVSS severity.
Users of other Linux OS distributions should check to see what version of the xz suite they have installed. The infected versions, 5.6.0 and 5.6.1, were released on February 24 and March 9, respectively, and may not have been integrated into many distributions.
It should be mentioned that LTS distributions do not seem to be at risk as they use an older version of xz. But if you are running a testing version of Debian, or some other rolling release it would be good to check the version of xz.
Debian Unstable and Kali Linux are already reported to be affected, as is Fedora. So if you use any of these distributions you should replace any backdoored builds of xz.
Red Hat Enterprise Linux (RHEL) and Debian stable OS are not affected.