流行的压缩工具 xz 和相关库中存在严重漏洞。xz 是在多个 Linux 发行版中的标准压缩工具。该软件的版本 5.6.0 和 5.6.1 似乎包含允许攻击者访问系统的后门。相关漏洞被标记为 CVE-2024-3094,可能导致供应链攻击。几个 Linux 发行版,包括 Fedora、Debian 和 SUSE 等警告用户不要使用最新版本的发行版。Debian、Fedora、SUSE 和其他 Linux 用户应更新 xz 或 xz-utils 软件包,以便该工具回滚到较旧的、无漏洞的版本。
There is a serious vulnerability in the popular compression tool xz and its related libraries. xz is a standard compression tool included in multiple Linux distributions. Versions 5.6.0 and 5.6.1 of this software appear to contain a backdoor that allows attackers to gain access to the system. The vulnerabilities in the xz package have been identified as CVE-2024-3094 and could potentially lead to supply chain attacks. Several Linux distributions, including Fedora, Debian, and SUSE, are warning users not to use the latest versions of the software. Debian, Fedora, SUSE, and other Linux users should update the xz or xz-utils packages to roll back to older, non-vulnerable versions of the tool.