Backdoor in xz might affect cooker and rolling users. Update as soon as possible!

A backdoor in liblzma, part of the xz compressor 5.6.x has been discovered. The exact workings of the backdoor are not yet known; it is, however, clear that it targets OpenSSH servers and hijacks their authentication.

While the cooker and rolling branches of OpenMandriva Lx do include xz 5.6.1 and the problematic code is inside the source tarball, we currently believe that OpenMandriva is NOT vulnerable to this backdoor (the detect script provided by those who found the backdoor agrees with this assessment).
This is because the backdoor relies on implementation details that seem to exist only if openssh was built with gcc (OpenMandriva builds openssh with clang).

Users of Rock/5.0 are not affected because the version in 5.0 predates the addition of the malicious code.

However, given the high impact of this, and the fact that it’s hard to be 100% sure we’re safe, we’re releasing an update with the backdoor code removed (xz 5.6.1-2), and advise everyone to update the package quickly even if it is unlikely to have any effect.

We have also verified that the servers in our own infrastructure has not been compromised (the fact that we use aarch64 servers helps – the backdoor is x86 only).

Given this backdoor has been spread by someone with access to xz’s github account, it is possible that other malicious code is included there. Until xz code has been fully audited, we will reduce our reliance on xz. OpenMandriva is already the first distribution that has shifted to zstd compression for man pages and info pages, and among the first distributions to use zstd for the compression payload inside rpm packages.

Danke @bero , immer wachsam.

Package xz-5.6.1-2 published to ROME/rolling/main 2024-03-30 18:01 UTC
Package xz-5.6.1-2` published to Rock/5.0/main 2024-03-30 18:34 UTC

ROME and Rock users are advised to upgrade this package As Soon As Possible and pay attention that you do in fact end up with xz-5.6.1-2. As stated by project leader @bero above we do not believe that OMLx users were at risk. But better safe than sorry.

It is possible to check if the library is vulnerable using

It is possible to upload the xz binary, as well as the .so or the sshd.

It can also be seen with the detector that Binarly made:

Yesterday I had gone back to 5.4, then I did tests on the internet with mine and in the end I was saved, even with version 5.6.

Welcome @arteze to OpenMandriva and our forum. This forum is for users of OpenMandriva Linux operating systems.

OpenMandriva Forums are primarily users helping other users.

You are welcome to talk to our developers at OpenMandriva Chat.

Users with a problem need to read How to get better results when posting about problems before reporting any issue or problem. The article is not too long and Do Read.

When a new user has an issue please look in the documentation for OMLx. OpenMandriva wiki, Forum Resources guide and the “Search” function of the forum.

If you don’t find what you are looking for, try an Internet search. One can find out a lot from documentation or forum posts at other Linux distros. If user finds something written for another distro but you have some doubt ask at OpenMandriva Chat.

For serious technical issues and package/feature requests please file a bug report here.

Note: We are a small group. All the contributors and developers here are unpaid volunteers.
You can make OpenMandriva grow and improve by getting involved

Any help with testing would be appreciated whether one is technically proficient or a very non-technical user. The more people and more hardware we can get involved the better we can make OMLx releases and packaging. We do a lot of testing in VM’s as well. Developers tend to use Qemu, most user level testers use VirtualBox.

Everything is fine, the only problem is that I speak Spanish, and the Bart Simpson poster cannot be translated by Google Translator, the rest is fine.

It is a brief excerpt of the long (but necessary) post just below it. More intended to attract the newcomers’ attention than else.