CVE-2024-3094 has finally been fixed in version 5.6.2.
Exactly two months ago, cyberspace was shaken by the release of an urgent warning regarding malicious code in XZ Utils, which turned out to be a backdoor added by an attacker under the pseudonym Jia Tan. Presumably, a Chinese hacker, or even a whole group of hackers, managed to win over users and become a co-developer of the project.
Only two months later, XZ lead developer Lasse Collin finally released the XZ 5 version.6.2 with the backdoor completely removed.
XZ Utils is a cross-platform set of programs for data compression. They are used primarily in Linux to reduce file size, which helps save disk space and speed up data transfer over the network. The main component of XZ Utils is the liblzma library, which provides an LZMA data compression algorithm.
The vulnerability CVE-2024-3094, which was present in previous versions 5.6 and 5.6.1., was completely eliminated in the latest release. Meanwhile, the investigation of the backdoor situation continues, and everyone can follow the updates on the special XZ page.
Lasse Collin also revealed that the ill-fated Jia Tan will be replaced by Sam James as XZ's maintainer.
In addition to removing the backdoor, XZ 5.6.2 fixed several bugs, added support for the NVIDIA HPC SDK compiler, and removed support for the GNU Indirect Function (IFUNC). IFUNC was used in the backdoor, but its removal was due to the fact that its performance benefits were insignificant, and the code complexity increased significantly.
In addition to XZ 5.6.2, versions XZ 5.4.7 and XZ 5.2.13 were also released, containing various bug fixes. However, only XZ version 5.6 was affected by the problem with the embedded backdoor.
Exactly two months ago, cyberspace was shaken by the release of an urgent warning regarding malicious code in XZ Utils, which turned out to be a backdoor added by an attacker under the pseudonym Jia Tan. Presumably, a Chinese hacker, or even a whole group of hackers, managed to win over users and become a co-developer of the project.
Only two months later, XZ lead developer Lasse Collin finally released the XZ 5 version.6.2 with the backdoor completely removed.
XZ Utils is a cross-platform set of programs for data compression. They are used primarily in Linux to reduce file size, which helps save disk space and speed up data transfer over the network. The main component of XZ Utils is the liblzma library, which provides an LZMA data compression algorithm.
The vulnerability CVE-2024-3094, which was present in previous versions 5.6 and 5.6.1., was completely eliminated in the latest release. Meanwhile, the investigation of the backdoor situation continues, and everyone can follow the updates on the special XZ page.
Lasse Collin also revealed that the ill-fated Jia Tan will be replaced by Sam James as XZ's maintainer.
In addition to removing the backdoor, XZ 5.6.2 fixed several bugs, added support for the NVIDIA HPC SDK compiler, and removed support for the GNU Indirect Function (IFUNC). IFUNC was used in the backdoor, but its removal was due to the fact that its performance benefits were insignificant, and the code complexity increased significantly.
In addition to XZ 5.6.2, versions XZ 5.4.7 and XZ 5.2.13 were also released, containing various bug fixes. However, only XZ version 5.6 was affected by the problem with the embedded backdoor.
