The xz software is used in many Linux distributions and in macOS for tasks like compressing release tarballs, kernel images etc. But the backdoor was caught early – the malicious code only made it into a few bleeding-edge Linux distributions, such as the upcoming Fedora Linux 40; Fedora Rawhide developer distribution; Debian Unstable; and Kali Linux. Vulnerable distributions require glibc (for IFUNC, a way to make indirection function calls into OpenSSH authentication), and xz-5.6.0 or xz-5.6.1
Red Hat has confirmed that Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta contained affected versions (5.6.0, 5.6.1) of the xz libraries, and that no versions of Red Hat Enterprise Linux (RHEL) are affected.
OpenSUSE maintainers say that openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th, and have provided advice on what users of those should do. “It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.”
Debian maintainers announced that “no Debian stable versions are known to be affected”, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those “are urged to update the xz-utils packages.”
Users of Kali Linux that have updated their installation between March 26th to March 29th are affected, OffSec confirmed.
Some Arch Linux virtual machine and container images and an installation medium contained the affected XZ versions.
Ubuntu says that no released versions of Ubuntu were affected by this issue.
Linux Mint is not affected. Gentoo Linux is not affected. Amazon Linux customers are not affected. Alpine Linux – not affected.
Zimbra-supported operating systems remain unaffected.
To check if your system utilizes a backdoored version of the liblzma library, you can use the script provided here:
https://github.com/cyclone-github/scrip ... -detect.sh
Alternatively, you can quickly assess if you are running a vulnerable version by employing the official detect.sh script from Openwall, accessible here.
https://www.openwall.com/lists/oss-secu ... /03/29/4/3
Download the script onto the system you wish to examine and execute the following commands:
chmod +x detect.sh
./detect.sh
Red Hat has confirmed that Fedora Rawhide (the current development version of Fedora Linux) and Fedora Linux 40 beta contained affected versions (5.6.0, 5.6.1) of the xz libraries, and that no versions of Red Hat Enterprise Linux (RHEL) are affected.
OpenSUSE maintainers say that openSUSE Tumbleweed and openSUSE MicroOS included an affected xz version between March 7th and March 28th, and have provided advice on what users of those should do. “It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap.”
Debian maintainers announced that “no Debian stable versions are known to be affected”, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those “are urged to update the xz-utils packages.”
Users of Kali Linux that have updated their installation between March 26th to March 29th are affected, OffSec confirmed.
Some Arch Linux virtual machine and container images and an installation medium contained the affected XZ versions.
Ubuntu says that no released versions of Ubuntu were affected by this issue.
Linux Mint is not affected. Gentoo Linux is not affected. Amazon Linux customers are not affected. Alpine Linux – not affected.
Zimbra-supported operating systems remain unaffected.
To check if your system utilizes a backdoored version of the liblzma library, you can use the script provided here:
https://github.com/cyclone-github/scrip ... -detect.sh
Alternatively, you can quickly assess if you are running a vulnerable version by employing the official detect.sh script from Openwall, accessible here.
https://www.openwall.com/lists/oss-secu ... /03/29/4/3
Download the script onto the system you wish to examine and execute the following commands:
chmod +x detect.sh
./detect.sh
Statistics: Posted by ashish.kataria — Wed Apr 03, 2024 7:44 am