xz 在 GitHub 上发布的 tarball 的 m4 中包含了恶意后门代码。
如非特别标注,以下链接中内容均为英文。
oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4
debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html
CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525
Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094
Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094
Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094
SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html
SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094
Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094
Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1
Everything I Know About the Xz Backdoor: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
==== 忙着查资料的被子饼 ====
目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本,且均已发布回退更新
目前确定曾受影响的发行版:
Debian unstable/testing between 2024-02-26 and 2024-03-29
Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29
Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29
openSUSE Tumbleweed between 2024-03-07 and 2024-03-28
如非特别标注,以下链接中内容均为英文。
oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4
debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html
CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525
Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094
Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094
Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094
SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html
SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094
Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094
Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1
Everything I Know About the Xz Backdoor: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
==== 忙着查资料的被子饼 ====
目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本,且均已发布回退更新
目前确定曾受影响的发行版:
Debian unstable/testing between 2024-02-26 and 2024-03-29
Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29
Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29
openSUSE Tumbleweed between 2024-03-07 and 2024-03-28
