There's a huge backdoor (#CVE -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called #xz affecting a ton of systems (#Linux and #macOS, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.

The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've contributed to the project, and people are rightfully suspicious that this Jia Tan person might have hidden other backdoors in xz.

Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there, including Macs, have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1 (latest is 5.6.1).

🔗 https://access.redhat.com/security/cve/CVE-2024-3094

🔗 https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

🔗 https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

🔗 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

[REFER to post update below, Arch is most likely not affected] Mine, on #ArchLinux is certainly affected lol (people kept saying it most likely only affects #Ubuntu and #Fedora based distros):

❯ xz --version xz (XZ Utils) 5.6.0 liblzma 5.6.0

:: removing xz breaks dependency 'xz' required by base :: removing xz breaks dependency 'xz' required by bind :: removing xz breaks dependency 'xz' required by ffmpeg :: removing xz breaks dependency 'xz' required by ffmpeg4.4 :: removing xz breaks dependency 'xz' required by file :: removing xz breaks dependency 'xz' required by fsarchiver :: removing xz breaks dependency 'xz' required by gdb :: removing xz breaks dependency 'xz' required by grub :: removing xz breaks dependency 'xz' required by imagemagick :: removing xz breaks dependency 'xz' required by imlib2 :: removing xz breaks dependency 'xz' required by kmod :: removing xz breaks dependency 'xz' required by lib32-xz :: removing xz breaks dependency 'xz' required by libarchive :: removing xz breaks dependency 'xz' required by libelf :: removing xz breaks dependency 'liblzma.so=5-64' required by libelf :: removing xz breaks dependency 'xz' required by libtiff :: removing xz breaks dependency 'xz' required by libunwind :: removing xz breaks dependency 'xz' required by libxml2 :: removing xz breaks dependency 'xz' required by libxmlb :: removing xz breaks dependency 'xz' required by libxslt :: removing xz breaks dependency 'xz' required by ostree :: removing xz breaks dependency 'liblzma.so=5-64' required by ostree :: removing xz breaks dependency 'xz' required by raptor :: removing xz breaks dependency 'xz' required by systemd :: removing xz breaks dependency 'xz' required by systemd-libs :: removing xz breaks dependency 'xz' required by wxwidgets-common :: removing xz breaks dependency 'xz' required by zstd

The backdoor also appears to to only run when built by the Debian build system or as an RPM package.