Malicious Code in Linux xz Libraries Endangers SSH
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
You may never have heard of the xz data compression code, but it’s vital to numerous programs, and we now know someone has planted malicious code in it.
When Red Hat first broke the news that the latest version of the xz data compression libraries contained a booby trap , People were concerned but not too worried. After all, they reasoned, it appeared many at first thought it was just another security hole. While others thought that if it only affected the Fedora Linux 40 beta , how bad could it possibly be?
You see, while no one in their right mind would run a Fedora beta in production, the problem isn’t with Fedora. It’s with the new xz libraries : xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm.
The libraries contain malicious code designed to enable attackers to take over systems, with unauthorized access. This backdoor malware was written into the upstream xz repository and then placed in its tarballs.
