The xz package that has already entered the current F40 pre-release versions/variants and rawhide contains malicious code. This does NOT affect users of the Fedora releases (F38, F39 are thus not affected), but all users who use already F40 pre-release versions/variants or rawhide shall read this: Article: CVE details: https://access.redhat.com/security/cve/CVE-2024-3094 Be aware that this is CVE criticality 10: this is the highest risk factor. Also be aware that the header of the RH arti...
  • loops@beehaw.orgEnglish
    51·
    7 months ago

    Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.

    • NaN@lemmy.sdf.orgEnglish
      8·
      7 months ago

      The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.

    • lengau@midwest.social
      3·
      7 months ago

      On Ubuntu the only affected people were those running the prerelease of Ubuntu 24.04 who had installed the update from the proposed pocket.