[ XZ backdoor - CVE-2024-3094 ] ! Backdoor in upstream xz/liblzma leading to SSH server compromise ! Check: xz --version 5.6.0 & 5.6.1 — v u l n e r a b l e Update: sudo apt update && sudo apt install --only-upgrade liblzma5 Summary: https://boehs.org/node/everything-i-know-about-the-xz-backdoor How it all started (email): https://www.openwall.com/lists/oss-security/2024/03/29/4 GitHub Thread: https://web.archive.org/web/20240329223553/https://github.com/tukaani-project/xz/issues/92 Message from Kali Linux team: https://twitter.com/kalilinux/status/1773786266074513523 The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today. Note that (almost) all Linux distros could be affected! For example, Fedora — Red Hat warned users to immediately stop using systems running Fedora development and experimental versions: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros News: https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor And from CISA: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 So... JiaT75 made 750 commits in 2 years and finally backdoored XZ...