XZ 维护者之一 Jia Tan 在 GitHub 上发布的 XZ Utils 5.6.0 and 5.6.1 tarball 中包含了恶意后门代码。
如非特别标注,以下链接中内容均为英文。
==== XZ 方面的信息,以及漏洞分析 ====
oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4
debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html
XZ 主要维护者 Lasse Collin 的声明: https://tukaani.org/xz-backdoor/
FAQ by Sam James: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Evan Boehs 的博客: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Filippo Valsorda: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
Gynvael Coldwind: https://gynvael.coldwind.pl/?id=782
RHEA 关于时区的分析: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
==== 新闻报道 ====
LWN: https://lwn.net/Articles/967180/
==== 供应商方面的信息,主要是各大发行版和安全公告板 ====
CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
MSRC: https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961
GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525
Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094
Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094
Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094
Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Kali Linux Blog: https://www.kali.org/blog/about-the-xz-backdoor/
SUSE blog: https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/
SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html
SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094
openSUSE News: https://news.opensuse.org/2024/03/29/xz-backdoor/
Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094
Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1
OpenWrt: https://forum.openwrt.org/t/project-statement-about-xz-5-6-1-cve-2024-3094/193250
==== 忙着查资料的被子饼 ====
目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本,且均已发布回退更新
目前确定曾受影响的发行版:
Debian unstable/testing/experimental between 2024-02-01 and 2024-03-29
Kali Linux between 2024-03-26 and 2024-03-29
Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29
Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29
openSUSE Tumbleweed/MicroOS between 2024-03-07 and 2024-03-28
如非特别标注,以下链接中内容均为英文。
==== XZ 方面的信息,以及漏洞分析 ====
oss-security 邮件列表: https://www.openwall.com/lists/oss-security/2024/03/29/4
debian-security-announce 邮件列表: https://lists.debian.org/debian-security-announce/2024/msg00057.html
XZ 主要维护者 Lasse Collin 的声明: https://tukaani.org/xz-backdoor/
FAQ by Sam James: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Evan Boehs 的博客: https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Filippo Valsorda: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b
Gynvael Coldwind: https://gynvael.coldwind.pl/?id=782
RHEA 关于时区的分析: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
==== 新闻报道 ====
LWN: https://lwn.net/Articles/967180/
==== 供应商方面的信息,主要是各大发行版和安全公告板 ====
CVE: https://www.cve.org/CVERecord?id=CVE-2024-3094
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
MSRC: https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961
GitHub Advisory Database: https://github.com/advisories/GHSA-rxwq-x6h5-x525
Red Hat Customer Portal: https://access.redhat.com/security/cve/CVE-2024-3094
Red Hat Blog: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3094
Debian Security Bug Tracker: https://security-tracker.debian.org/tracker/CVE-2024-3094
Debian Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Kali Linux Blog: https://www.kali.org/blog/about-the-xz-backdoor/
SUSE blog: https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/
SUSE Security: https://www.suse.com/security/cve/CVE-2024-3094.html
SUSE Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-3094
openSUSE News: https://news.opensuse.org/2024/03/29/xz-backdoor/
Gentoo's Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=CVE-2024-3094
Arch Linux News: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Arch Linux Advisories: https://security.archlinux.org/ASA-202403-1
OpenWrt: https://forum.openwrt.org/t/project-statement-about-xz-5-6-1-cve-2024-3094/193250
==== 忙着查资料的被子饼 ====
目前的证据表明这个后门仅影响部分 Debian/Ubuntu/Fedora/openSUSE 的预发布版本,且均已发布回退更新
目前确定曾受影响的发行版:
Debian unstable/testing/experimental between 2024-02-01 and 2024-03-29
Kali Linux between 2024-03-26 and 2024-03-29
Ubuntu noble-proposed/noble-release between 2024-02-26 and 2024-03-29
Fedora 40/41(Rawhide) between 2024-02-27 and 2024-03-29
openSUSE Tumbleweed/MicroOS between 2024-03-07 and 2024-03-28
