CVE-2024-3094: All Clear – Fedora Magazine

It’s official — CVE-2024-3094 is the “Backdoor in XZ Utils That Almost Happened“. Fortunately, the malware was detected before we released the compromised version as an official update. If you are using a Fedora Linux 38 or 39, or an up-to-date Fedora Linux 40 Beta, you should be all set, and the upcoming Fedora Linux 40 final release is not affected.

The XZ backdoor is a devious piece of work. It affects the SSH remote login protocol, which has a feature where users can be authenticated using a public-private key pair. The exploit sneaks a public key right into the allow-list, so someone out there with the corresponding key could log in to a compromised machine with full root access — without a trace. We have no evidence that the attackers ever got a chance to take advantage of this, but if the malware had slipped by undetected, it could have been devastating

Fortunately, the plot was foiled by Andres Freund while doing volunteer work in his spare time. He noticed that there was a slight change in performance, and decided to investigate. One of my Fedora friends quoted John Denver: “What one man can do is change the world and make it work again! Here you see what one man can do.”

If you have a system with the Fedora Linux 40 Beta or Fedora Rawhide, and you applied updates during the time the compromised package was in our updates-testing repository, you should check to make sure that it is now reverted, and apply current updates if not. (You should have xz-5.4.6, as of this post.) On Fedora Workstation systems, the ssh daemon does not run by default, which additionally limits possible risk. However, if you did have the bad update on a system, or think you might have, we recommend a full reinstall out of an abundance of caution.

Fedora Linux 38 and 39 never had even a candidate update for the compromised package, and we pulled the test update for 40, so it was never merged into the release.