Background
So a few days ago back on the 29th March 2024, a new critical threat officially now known as CVE-2024-3094
was discovered.
This one is pretty damn serious as it has a CVSS score of 10.0! Basically it's bad, like really really bad.
In a nutshell Microsoft engineer Andres Freund happened to notice that SSH logins into Debian had a slight delay.
After going down a rabbit hole, it was discovered that during the build process of a utility tool called XZ
(used for file compression) a backdoor was introduced.
The affected version of XZ
is v5.6.0 and v5.6.1
Which distros are affected?
If you're running the following distro's then you're most likely affected:
- Fedora 40-41
- Rawhide
- Arch Linux
- Debian unstable (sid)
- Alpine Edge
- openSUSE Tumbleweed
- openSUSE MicroOS
How to check for the XZ vulnerability
Run the follong command to check which version of xz
and liblzma
you have installed on your machine or server. If the version is either 5.6.0 or 5.6.1 then downgrade ASAP.
user@pc:~ xz -V
xz (XZ Utils) 5.2.5
liblzma 5.2.5