Resources related to XZ Vulnerability discovered by Andres Freund on Fri, 29 Mar 2024.

It was designated as CVE-2024-3094.

Summary

XZ Utils backdoor on tukaani — Lasse Collin

FAQ on the xz-utils backdoor (CVE-2024-3094) — Sam James

What we know about the xz Utils backdoor that almost infected the world — Ars Technica

Infographic 1 2 — Thomas Roccia

XZ Utils Backdoor — Everything You Need to Know, and What You Can Do — Akamai Security Intelligence Group

CVE-2024-3094 XZ Backdoor: All you need to know — JFrog

Backdoor in XZ Utils allows RCE: everything you need to know — Wiz

Timeline

Timeline of the xz open source attack — Russ Cox

Downstream

Affected

Redhat Fedora

Debian

OpenSUSE

Kali Linux

Arch Linux

Unaffected

Red Hat Enterprise Linux

Ubuntu

Amazon Linux

Alpine

Gentoo

FreeBSD

Wolfi

Linux Mint

Homebrew

NixOS

Analysis

How the XZ backdoor works - Daroc Alden

A Microcosm of the interactions in Open Source projects — Rob Mensching

Hacker News

Technical

XZ Backdoor Analysis — smx

The xz attack shell script — Russ Cox

xz/liblzma: Bash-stage Obfuscation Explained — Gynvael Coldwind

Related projects

xzbot — Anthony Weems

xzre — smx

xz-malware — Michael Karcher

xz.fail — @binarly_io