xz 5.6.0 and 5.6.1 source tarballs are backdoored. Investigation found that no #alpinelinux xz binary is affected.
- stable branches uses xz 5.4 or older
- edge uses unaffected tarball
- the backdoor doesn't work with musl
https://www.openwall.com/lists/oss-security/2024/03/29/4
Jakub Jirutka /
npub19r…ej2cd
2024-03-29 19:09:22
Author Public Key
npub19rmlx5qk3z43tt5guldaj903c8j47zgxhulq0vnntzrxt9g3gr6s9ej2cdPublished at
2024-03-29 19:09:22Event JSON
{
"id": "12c3a6b5503f8839dfeca1b682a2eee788bd54da535ae4f3b545230c6949ee27",
"pubkey": "28f7f3501688ab15ae88e7dbd915f1c1e55f0906bf3e07b273588665951140f5",
"created_at": 1711739362,
"kind": 1,
"tags": [
[
"t",
"alpinelinux"
],
[
"proxy",
"https://social.jirutka.cz/users/jakub/statuses/112180550872782035",
"activitypub"
]
],
"content": "xz 5.6.0 and 5.6.1 source tarballs are backdoored. Investigation found that no #alpinelinux xz binary is affected.\n\n- stable branches uses xz 5.4 or older\n- edge uses unaffected tarball \n- the backdoor doesn't work with musl\n\nhttps://www.openwall.com/lists/oss-security/2024/03/29/4",
"sig": "04f17d76349125f0a0ef1f81df460b791cd25026fc2c11ed212e6f33b614e3ba78c7d53b5d4f2eaeea051bf4d540c68eb74882e33dd81fa437501116b436fc52"
}