Xz: malicious code in distributed source

MaxK · March 30, 2024, 1:42am

This is bad if you use xz:

https://www.cve.org/CVERecord?id=CVE-2024-3094

And some background:

Update: A tool to check for infections

MaxK · March 30, 2024, 5:58pm

More details:

gist.github.com

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5006123

xz-backdoor.md

# FAQ on the xz-utils backdoor

## Background

On March 29th, 2024, a backdoor was discovered in
[xz-utils](https://xz.tukaani.org/xz-utils/), a suite of software that
gives developers lossless compression. This package is commonly used
for compressing release tarballs, software packages, kernel images,
and initramfs images. It is very widely distributed, statistically
your average Linux or macOS system will have it installed for

This file has been truncated. show original

robi · March 30, 2024, 6:13pm

An official statement from HA dev team, if HA is affected in any way or not…

PatG · April 12, 2024, 3:52pm

Hello,

HA uses Alpine Linux which does not appear to be affected.

Best regards,
Pat.