Arch Linux - News: The xz package has been backdoored

The xz package has been backdoored2024-03-29 - David RungeTL;DR: Upgrade your systems and container images now!As many of you may have already read (one), the upstream release tarballs for xz in version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.This vulnerability is tracked in the Arch Linux security tracker (two).The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.The following release artifacts contain the compromised xz:installation medium 2024.03.01virtual machine images 20240301.218094 and 20240315.221711container images created between and including 2024-02-24 and 2024-03-28The affected release artifacts have been removed from our mirrors.We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version!Upgrading the systemIt is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed:…
Related Topics: Linux
  • xz 5.6.0, 5.6.1 のアップストリームからのリリースにバックドアがあった模様。各ディストリビューションの対象バージョンのパッケージは更新必要。