NVD

Recently, a vulnerability was reported in the xz library: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromis...

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

On Friday, March 29, developer Andres Freund shared that he had discovered an upstream backdoor in widely used command line tool XZ Utils (liblzma).

Malicious code was pushed to the libxz-utils project that introduced a backdoor in SSH. Here's how to find potentially vulnerable systems.

After Linux XZ Tarball's backdoor discovery, Debian's devs decided to pause the 12.6 release for an in-depth analysis of CVE effects.

Hi, tl;dr OpenWrt seems to be not affected by the CVE-2024-3094 As you may be aware, malicious code was identified in the xz upstream tarballs starting from version 5.6.0. The development snapshots of OpenWrt were utilizing this compromised library version. Fortunately, the snapshots builds relied on source code tarballs from GitHub releases, which are generated automatically. These contained only the dormant segment of the malicious code. The crucial component that would activate the backdoo...

As of 5:00 pm ET on March 29, 2024 the following information is accurate. Should there be updates to this situation, they will be edited onto this blog post. The xz-utils package, starting from versions 5.6.0 to 5.6.1, was found to contain a backdoor (CVE-2024-3094). This backdoor could potentially allow a malicious actor to compromise sshd authentication, granting unauthorized access to the entire system remotely.

An overview of CVE-2024-3094, a vulnerability in XZ Utils impacting multiple Linux distributions, and information about how to mitigate.

644 strangers in your package.json. The XZ backdoor was caught by one engineer noticing half a second of latency. Next time it might be 50 milliseconds. Next time it might be no perceptible drift at all.

Contribute to Fraunhofer-AISEC/supply-graph development by creating an account on GitHub.

AI agents are pushing software toward personal, verified, and agent-built systems where trust, identity, and user control define the next phase.

Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.

The past few days have seen the security world focused on the revelation of the xz/liblzma backdoor. For more background, see this early writeup of the issue, this GitHub Gist, this detailed timeli...

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

Learn how open source projects handle CVEs. From Heartbleed and Log4Shell to the prestd advisory, explore lessons on vulnerability disclosure, fast fixes, and building trust in software security.

Let's discover together how to use GPG to secure your exchanges (files, emails, commits) and how to store your keys on a Yubikey for added security!

As you probably already heard, the xz package got compromised. The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as CVE-2024-3094.