XZ Utils Library Security Update Advisory (CVE-2024-3094)
Overview
We have released a security update to address a vulnerability in the XZ Utils library.
Affected Products
– XZ Utils versions 5.6.0, 5.6.1
– Kali Linux (between March 26 and 29)
– openSUSE Tumbleweed and openSUSE MicroOS (between March 7 and 28)
– Debian testing, unstable, and experimental versions (5.5.1alpha-0.1 through 5.6.1-1)
– Fedora 41 and Fedora Rawhide
Resolved Vulnerabilities
A maliciously modified liblzma library could be crafted to intercept and modify the interaction of related data in all software associated with XZ Utils (CVE-2024-3094, CVSS 10.0)
vulnerability Action
users of affected versions of the product are advised to apply a downgrade.
For Fedora Linux 40, downgrade to build 5.4
Downgrade to XZ Utils 5.4.6 Stable
Referenced Sites
[1] CVE-2024-3094 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
[2] Backdoor found in widely used Linux utility breaks encrypted SSH connections
[3] Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
[4] Are You Affected by the Backdoor in XZ Utils?
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
[5] Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils