Hi all, This topic is all over the internet at that point, and I doubt most operators here would be affected, but it is worth a heads-up for people who do not stay on to of the news:
The current maintainer (and also for the past two years) of xz-utils, which is included in about every linux distribution in existence, has been backdooring the release tarball of the package since at least February 2024 and the 5.6.0 release. The backdoor is specifically targeted at debian and rpm-based systems, which one known effect providing a remote unauthorized access to the SSH server (due to those distributions patching sshd to link to systemd which itself uses liblzma from xz-utils). The version is recent, and only included in debian sid/testing as well as Fedora 40/41, which have since yesterday published new packages removing the backdoor. Other distributions like Gentoo or Archlinux and derivatives were also including the vulnerable versions, though it seems like no backdoored code was built in there (the exploit was targeted during the build, and neither distribution used a process that would include it). The investigation is ongoing, but here [1] is the link to the oss-security mail which was the first publication on that topic, and here [2] is a more detailed writeup of the events. Stay safe, Mathieu [1] https://www.openwall.com/lists/oss-security/2024/03/29/4 [2] https://boehs.org/node/everything-i-know-about-the-xz-backdoor
