XZ backdoor CVE-2024-3094

[Francisco Athens]

As you may have heard, xz (a widely used compression utility and library) was found to have a backdoor added by malicious contributor.

https://research.swtch.com/xz-timeline

According to Tenable these are the known affected distro releases affected:

Fedora Rawhide
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora Rawhide is the development distribution of Fedora Linux
Fedora 40 Beta
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora Linux 40 beta does contain two affected versions of xz libraries, however does not appear to be affected. All Fedora 40 beta users are still encouraged to revert to 5.4.x versions of XZ.
Fedora 41
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
 
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.

https://lists.debian.org/debian-security-announce/2024/msg00057.html

https://security-tracker.debian.org/tracker/CVE-2024-30

openSUSE Tumbleweed and openSUSE MicroOS
https://news.opensuse.org/2024/03/29/xz-backdoor/
Backdoored version of xz was included in Tumbelweed and MicroOS between March 7 and March 28
Kali Linux
https://www.kali.org/blog/about-the-xz-backdoor/
Backdoored version of xz was included in Kali Linux (xz-utils 5.6.0-0.2) between March 26 and March 28
Arch Linux
https://archlinux.org/news/the-xz-package-has-been-backdoored//

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils

https://discourse.ubuntu.com/t/xz-liblzma-security-update-post-2/43801?u=popey

https://blogs.gnome.org/hughsie/2024/04/03/fwupd-and-xz-metadata/