Eek. Apparently liblzma (part of the xz package) has a backdoor in versions 5.6.0 and 5.6.1, causing SSH to be compromised.
https://www.openwall.com/lists/oss-security/2024/03/29/4
This might even have been done on purpose by the upstream devs.
Developing story, please take with a grain of salt.
The 5.6 versions are somewhat recent, depending on how bleeding edge your distro is you might not be affected.
scy
•Red Hat released an urgent security alert for Fedora 41 and Rawhide users:
> PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
> Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz.
#RedHat #Fedora #FedoraRawhide #Fedora41
Urgent security alert for Fedora Linux 40 and Fedora Rawhide users
, (Red Hat)