A backdoor in xz

Andres Freund has posted a
detailed investigation into a backdoor that was shipped with versions
5.6.0 and 5.6.1 of the xz compression utility. It appears that the
malicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in the
injected code, to allow unauthorized access. Since this is running
in a pre-authentication context, it seems likely to allow some form
of access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems for
the bad version would be a good idea.

Update: there are advisories out now from
Arch,
Debian,
Red
Hat, and
openSUSE.

A further
update from openSUSE:

For our openSUSE Tumbleweed users where SSH is exposed to the
internet we recommend installing fresh, as it’s unknown if the
backdoor has been exploited. Due to the sophisticated nature of the
backdoor an on-system detection of a breach is likely not
possible. Also rotation of any credentials that could have been
fetched from the system is highly recommended.