A backdoor in xz

Andres Freund has posted adetailed investigation into a backdoor that was shipped with versions5.6.0 and 5.6.1 of the xz compression utility. It appears that themalicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in theinjected code, to allow unauthorized access. Since this is runningin a pre-authentication context, it seems likely to allow some formof access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems forthe bad version would be a good idea.

Update: there are advisories out now fromArch,Debian,RedHat, andopenSUSE.

A furtherupdate from openSUSE:

For our openSUSE Tumbleweed users where SSH is exposed to theinternet we recommend installing fresh, as it's unknown if thebackdoor has been exploited. Due to the sophisticated nature of thebackdoor an on-system detection of a breach is likely notpossible. Also rotation of any credentials that could have beenfetched from the system is highly recommended.