https://blog.darrennathanael.com/author/david-runge/Recent content in David Runge on Darren NathanaelHugoenFri, 29 Mar 2024 19:07:04 +0000https://blog.darrennathanael.com/posts/xz-package-backdoored/Fri, 29 Mar 2024 00:00:00 +0000https://blog.darrennathanael.com/posts/xz-package-backdoored/<p>TL;DR: Upgrade your systems and container images <strong>now</strong>!</p> <p>As many of you may have already read <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank">1</a>, the upstream release tarballs for <code>xz</code> in version <code>5.6.0</code> and <code>5.6.1</code> contain malicious code which adds a backdoor.</p> <p>This vulnerability is tracked in the Arch Linux security tracker <a href="https://security.archlinux.org/ASA-202403-1" target="_blank">2</a>.</p> <p>The <code>xz</code> packages prior to version <code>5.6.1-2</code> (specifically <code>5.6.0-1</code> and <code>5.6.1-1</code>) contain this backdoor.</p> <p>The following release artifacts contain the compromised <code>xz</code>:</p> <ul> <li>installation medium <code>2024.03.01</code></li> <li>virtual machine images <code>20240301.218094</code> and <code>20240315.221711</code></li> <li>container images created between and including <em>2024-02-24</em> and <em>2024-03-28</em></li> </ul> <p>The affected release artifacts have been removed from our mirrors.</p>