Backdoor Discovered in xz-utils for Fedora 40 and Rawhide
Red Hat’s emergency advisory (CVE‑2024‑3094) warns that malicious code was inserted into xz‑utils 5.6.0/5.6.1, creating a remote‑access backdoor that affects only Fedora 41 and Rawhide, traced to attacker JiaT75 who compromised the Tukaani project for three years before GitHub disabled the repository.
Red Hat issued an emergency security advisory (CVE‑2024‑3094) warning that the latest xz‑utils versions 5.6.0/5.6.1 contain malicious code that could allow unauthorized remote access.
The vulnerability affects only Fedora 41 and Fedora Rawhide packages; all RHEL releases are unaffected.
Security researcher Andres Freund’s reverse‑engineering shows the payload uses sophisticated techniques to evade detection, and the compromised repository (tukaani‑project/xz) has been completely disabled by GitHub.
The attacker, identified as JiaT75 (Jia Tan), allegedly infiltrated the project for three years, inserting backdoor scripts, OpenSSL function hijacking, and an SSH backdoor via test‑case data and m4 scripts.
GitHub has now closed the attacker’s account and the xz‑utils repository. The incident highlights the difficulties open‑source maintainers face when malicious contributors gain trusted access.
Java Tech Enthusiast
Sharing computer programming language knowledge, focusing on Java fundamentals, data structures, related tools, Spring Cloud, IntelliJ IDEA... Book giveaways, red‑packet rewards and other perks await!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.