TL;DR: Update immediately, especially if SSH is enabled. xz versions 5.6.0 & 5.6.1 are impacted. The article contains links to each distro’s specific instructions of what to do.
https://news.opensuse.org/2024/03/29/xz-backdoor/
Current research indicates that the backdoor is active in the SSH Daemon, allowing malicious actors to access systems where SSH is exposed to the internet.
In summary, the conditions for exploitation seem to be:
- xz version 5.6.0 or 5.6.1
- SSH with a patch that causes xz to be loaded
- SSH daemon enabled
Impact on distros
-
Arch Linux: Backdoor was present, but shouldn’t be able to activate. Updating is still strongly recommended.
-
Debian: Testing, Unstable, and Experimental are affected (update to
xz-utils
version5.6.1+really5.4.5-1
). Stable is not affected. -
Fedora: 41 is affected and should not be used. Fedora 40 may be affected (check the version of
xz
). Fedora 39 is not affected. -
FreeBSD: Not affected.
-
Kali: Affected.
-
NixOS: NixOS unstable has the backdoor, but it should not be able to activate. NixOS stable is not affected.
-
OpenSUSE: Tumbleweed and MicroOS are affected. Update to
liblzma5
version5.6.1.revertto5.4
. Leap is not affected.
Why ssh? Does ssh use xz?
Not directly, but it’s often integrated with systemd which does.
https://hackaday.com/2024/03/29/security-alert-potential-ssh-backdoor-via-liblzma/
Yes. ssh’s RSA encryption uses liblzm.