A backdoor in liblzma, part of the xz compressor 5.6.x has been discovered. The exact workings of the backdoor are not yet known; it is, however, clear that it targets OpenSSH servers and hijacks their authentication.
While the cooker and rolling branches of OpenMandriva Lx do include xz 5.6.1 and the problematic code is inside the source tarball, we currently believe that OpenMandriva is NOT vulnerable to this backdoor (the detect script provided by those who found the backdoor agrees with this assessment).
This is because the backdoor relies on implementation details that seem to exist only if openssh was built with gcc (OpenMandriva builds openssh with clang).
Users of Rock/5.0 are not affected because the version in 5.0 predates the addition of the malicious code.
However, given the high impact of this, and the fact that it’s hard to be 100% sure we’re safe, we’re releasing an update with the backdoor code removed (xz 5.6.1-2), and advise everyone to update the package quickly even if it is unlikely to have any effect.
We have also verified that the servers in our own infrastructure has not been compromised (the fact that we use aarch64 servers helps – the backdoor is x86 only).
Given this backdoor has been spread by someone with access to xz’s github account, it is possible that other malicious code is included there. Until xz code has been fully audited, we will reduce our reliance on xz. OpenMandriva is already the first distribution that has shifted to zstd compression for man pages and info pages, and among the first distributions to use zstd for the compression payload inside rpm packages.
Package xz-5.6.1-2 published to ROME/rolling/main 2024-03-30 18:01 UTC
Package xz-5.6.1-2` published to Rock/5.0/main 2024-03-30 18:34 UTC
ROME and Rock users are advised to upgrade this package As Soon As Possible and pay attention that you do in fact end up with xz-5.6.1-2. As stated by project leader @bero above we do not believe that OMLx users were at risk. But better safe than sorry.
If you don’t find what you are looking for, try an Internet search. One can find out a lot from documentation or forum posts at other Linux distros. If user finds something written for another distro but you have some doubt ask at OpenMandriva Chat.
For serious technical issues and package/feature requests please file a bug report here.
Note: We are a small group. All the contributors and developers here are unpaid volunteers.
You can make OpenMandriva grow and improve by getting involved
Any help with testing would be appreciated whether one is technically proficient or a very non-technical user. The more people and more hardware we can get involved the better we can make OMLx releases and packaging. We do a lot of testing in VM’s as well. Developers tend to use Qemu, most user level testers use VirtualBox.