My Profile Photo

Sheogorath's Blog

Helpful resources for the xz situation

Collection of useful resources, to bring people up to speed with the situation.

Management summary

For those not up to speed, the xz package was backdoored (CVE-2024-3094) by a maintainer that took over the projects in the past years. The backdoor targeted sshd on systemd systems and was found by Andres Freund, while setting up a machine for microbenchmarks. The discovery was early and mainly effected bleeding edge systems, like Fedora Rawhide or Debian Unstable. It’s not the first vulnerability of its kind, but it could have been very impactful if not found that early.

If you need a government announcement, there is currently one form CISA. The German BSI hasn’t provided one yet (to my knowledge).

There is now an upstream response by the original author/maintainer, Lasse Collin, who took back the project now. He stopped his well earned vacation because a lot of people use his hobby project for production systems. Please understand they have no obligation to you!

Timeline

There is a great article on the timeline of the incident by Evan Boehs. He’s updating the timeline quite frequently and there is nothing I could add, so just enjoy it there.

How to detect affected versions?

  1. Take a deep breath
  2. Consider where you run sshd
  3. Consider what distros you run sshd on, what OS versions you use and what the distributions say about the vulnerability
  4. There is a detection script you can run to find affected versions.