{"id":55759,"date":"2024-04-01T19:32:23","date_gmt":"2024-04-01T15:32:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177864\/glsa-202403-04.txt"},"modified":"2024-04-02T13:09:21","modified_gmt":"2024-04-02T08:39:21","slug":"gentoo-linux-security-advisory-202403-04","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/gentoo-linux-security-advisory-202403-04\/","title":{"rendered":"Gentoo Linux Security Advisory 202403-04"},"content":{"rendered":"

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
\nGentoo Linux Security Advisory GLSA 202403-04
\n– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
\nhttps:\/\/security.gentoo.org\/
\n– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –<\/p>\n

Severity: High
\nTitle: XZ utils: Backdoor in release tarballs
\nDate: March 29, 2024
\nBugs: #928134
\nID: 202403-04<\/p>\n

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –<\/p>\n

Synopsis
\n========<\/p>\n

A backdoor has been discovered in XZ utils that could lead to remote
\ncompromise of systems.<\/p>\n

Background
\n==========<\/p>\n

XZ Utils is free general-purpose data compression software with a high
\ncompression ratio.<\/p>\n

Affected packages
\n=================<\/p>\n

Package Vulnerable Unaffected
\n—————– ———— ————
\napp-arch\/xz-utils >= 5.6.0 < 5.6.0<\/p>\n

Description
\n===========<\/p>\n

A backdoor has been discovered in XZ utils. Please review the CVE
\nidentifier referenced below for details.<\/p>\n

Impact
\n======<\/p>\n

Our current understanding of the backdoor is that is does not affect
\nGentoo systems, because<\/p>\n

1. the backdoor only appears to be included on specific systems and
\nGentoo does not qualify;
\n2. the backdoor as it is currently understood targets OpenSSH patched to
\nwork with systemd-notify support. Gentoo does not support or include
\nthese patches;<\/p>\n

Analysis is still ongoing, however, and additional vectors may still be
\nidentified. For this reason we are still issuing this advisory as if
\nthat will be the case.<\/p>\n

Workaround
\n==========<\/p>\n

There is no known workaround at this time.<\/p>\n

Resolution
\n==========<\/p>\n

All XZ utils users should downgrade to the latest version before the
\nbackdoor was introduced:<\/p>\n

# emerge –sync
\n# emerge –ask –oneshot –verbose “<app-arch\/xz-utils-5.6.0”<\/p>\n

References
\n==========<\/p>\n[ 1 ] CVE-2024-3094
\nhttps:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3094<\/p>\n

Availability
\n============<\/p>\n

This GLSA and any updates to it are available for viewing at
\nthe Gentoo Security Website:<\/p>\n

https:\/\/security.gentoo.org\/glsa\/202403-04<\/p>\n

Concerns?
\n=========<\/p>\n

Security is a primary focus of Gentoo Linux and ensuring the
\nconfidentiality and security of our users’ machines is of utmost
\nimportance to us. Any security concerns should be addressed to
\nsecurity@gentoo.org or alternatively, you may file a bug at
\nhttps:\/\/bugs.gentoo.org.<\/p>\n

License
\n=======<\/p>\n

Copyright 2024 Gentoo Foundation, Inc; referenced text
\nbelongs to its owner(s).<\/p>\n

The contents of this document are licensed under the
\nCreative Commons – Attribution \/ Share Alike license.<\/p>\n

https:\/\/creativecommons.org\/licenses\/by-sa\/2.5<\/p>\n","protected":false},"excerpt":{"rendered":"

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202403-04 – – – – – – – – – – – – – …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55759","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55759"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55759\/revisions"}],"predecessor-version":[{"id":55773,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55759\/revisions\/55773"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}