To everyone losing their shit over the xz/liblzma debacle: This is how Open Source is supposed to work: many eyes looking over work-in-progress to make sure it works as intended. Sometimes it’s reviewing source code commits and other times it’s looking over the behavior of pre-release software, noticing anomalous behavior and chasing down the commit that caused it. This is preciselywhy we have debian-testing and FreeBSD-Current. If anything this is validation that Open Source works #xz#liblzma
Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?
This was a subtle and sophisticated attack implemented over years. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux
TL;DR #XZ has been backdoored in 5.6.0 and 5.6.1. While Fedora Rawhide and Fedora 41 packages are affected, Red Hat Enterprise Linux is NOT affected. Updates (well, technically downgrades to 5.4.x) for Fedora are being made available through the regular update channels. Our Security Alert explains more details. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Check if your machine is affected: run xz --version and see if it returns 5.6.0 or 5.6.1. If it shows a lower version, you are safe, as far as we can see now.
Lasse Collin has posted an update on his plans for #xz and clearing up what happened: https://tukaani.org/xz-backdoor/ I hope he’s met with all the support and patience he needs.