×

SUSE addresses supply chain attack against xz compression library

SUSE addresses supply chain attack against xz compression library


SUSE received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.

Background

Security Researcher Andres Freund reported to Debian that the xz / liblzma library had been backdoored.

This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.

For the statement from the openSUSE project please refer to https://news.opensuse.org/2024/03/29/xz-backdoor/

SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap. Additionally, SUSE has verified that SLE BCI, SUSE Rancher, and SUSE Edge products are not affected. SUSE will continue to monitor this issue, and make any updates if and as necessary.

Links



Source link