If you're using xz 5.6 (a compression program related to 7zip), you're being asked to roll it back to 5.4, as package maintainers found a backdoor in the 5.6 version that was just pushed to rolling releases and testing distros like Arch, and Fedora 40 beta. More info here: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users While people might just say "this is nerd talk," this applies to anyone using Linux, even LTS releases, as the person who installed the backdoor has been on this project for 6 years, and who knows what they have been doing. More investigation will be forthcoming, but for now, rolling back to 5.4, if your library has updated, is highly recommended. This might be one of the worst breaches for Linux in years, as xz is a core component of most distros, including Fedora and Debian based distros. It seems the creator of that back door was targeting business systems, and most businesses on Linux use RPM or DEB based systems. So please double check to see which version of xz you're running if you're on Linux. Any Linux version. For Fedora, that would be going into the terminal and typing "sudo dnf info xz" which should give you the details you need.
As someone doing the Certified Ethical Hacker course at the mo, Amaris is right that this is totes bad. Like the below, times 5000.
Perfect. Yeah, this is a huge thing. When the CVE is 10 out of 10, you know massive fuckery is taking place, and they're not even sure how deep it goes. This was found by accident by a developer who happened to be wondering why SSH was so slow and decided to investigate. How many of these core libraries have been modified and have slipped through basic checks? We don't even know what might be affected at this point, because the method used was damned sneaky, brilliant even, because it was, at the very least, a two step process that looked innocuous from both ends. Indeed, it affects Mac users, too. XZ is a popular set of compression tools.
