The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code. This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shall read this: Article: CVE details: https://access.redhat.com/security/cve/CVE-2024-3094 Be aware that this is CVE criticality 10: this is the highest risk factor. Also be aware that the header of the RH arti...
Bad title. This is CVE-2024-3094. Run “xz --version” to see if you are affected.
AFAIK it‘s better to use
rpm -q xz xz-libs
(copied from the forum replies) to avoid runningxz
itself just in case the affected version is already installedIf you go to the post, on the comments, there is someone that is already telling you to run
dnf list xz --installed
. So you don’t need to runxz
directly.Yeah that’s just the title from the thread over on the Fedora forum
Can’t you edit it?
Yes but that would be disingenuous. The current title better captures the urgency of the situation
If you are checking out the extent of damage on your system do not use
ldd
to check the links.You can inadvertently executed the exploit this way.