Here are affected distributions:
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
March 29, 2024

Which distros are affected?

Red Hat says that the vulnerable packages are present in Fedora 41 and Fedora Rawhide, and have urged users of those distros to immediately stop using them.

“If you are using an affected distribution in a business setting, we encourage you to contact your information security team for next steps,” they said, and added that no versions of Red Hat Enterprise Linux (RHEL) are affected.

SUSE has released a fix for openSUSE users.

Debian says no stable versions of the distro are affected, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those should update the xz-utils packages.

“The malicious code found in the latest versions of the xz libraries show just how critical it is to have a vigilant and veteran Linux security team monitoring software supply chain channels,” Vincent Danen, VP, Product Security at Red Hat, told Help Net Security.

“Red Hat, along with CISA and other Linux distributions, were able to identify, assess and help remediate this potential threat before it posed a significant risk to the broader Linux community.”

CISA has advised developers and users to downgrade XZ Utils to an uncompromised version (e.g., XZ Utils 5.4.6 Stable) and to hunt for any malicious activity and report any positive findings to the agency.


UPDATE: Friday, March 29, 15:06 ET

Kali Linux announced that the impact of this vulnerability affected Kali between March 26th and March 29th. If you updated your Kali installation on or after March 26th, applying the latest updates today is crucial to address this issue. However, if you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.

I don't use RedHat/CentoOS/others[1] but it looks like you use dnf to update (as root, or with sudo)
Post a reply if you know. I remember the days of "yum" (it came from YellowDog Linux, hence the Y)


Debian-like systems:
https://linuxhandbook.com/update-debian/

If you want to update Debian Linux system, here's what you need to do.

Update the local package database cache with:

sudo apt update
And then update all the installed software, kernel and other system components at once using:

sudo apt upgrade
Press Y key when you are asked to confirm.

Combine the above two commands

Alternatively, you can combine the above two commands with the help && operator. You can also provide the conformation automatically using -y:

sudo apt update && sudo apt upgrade -y

Homebrew (commonly used on MacOS)
https://osxdaily.com/2021/02/13/how-update-homebrew-mac/

How to Update Homebrew
Updating Homebrew is pretty straight forward:

brew update

This updates homebrew itself.

You can then upgrade all individual packages and formula with the following:

brew upgrade

Don't know if this affects BSD distributions, but here's the original post:
https://www.openwall.com/lists/oss-security/2024/03/29/4

It includes a downloadable shell script to detect vulnerabilities, but it requires the ldd command, which mac users can get with the command-line utils. It's not in the shipped OS. It's worth reading, actually.




[1] Alternatives to RedHat which are similar:
https://www.makeuseof.com/best-red-hat-based-linux-distros/

Noted at wikipedia already
https://en.wikipedia.org/wiki/XZ_Utils#cite_note-Freund-3

Corrections welcome.

Glad to see someone who knows what they're talking about responding. I'm pretty clueless, but it seemed important.

I think this is a lot worse than reported. Yes, this attempt was foiled before it got widespread, but the technique they used opens a new front in the war against malware.

(1) This was a years-long effort. Clearly not a random teenage hacker going for kicks (i.e. it was a government group).
(2) It took advantage of the rapidly aging population of open-source package owners & maintainers.

The approach here was to create a useful but fictional volunteer contributor and slowly build up their reputation and credibility until they could be given control of a widely used package. And then to use that power to introduce malware that would be included by large distributions.

This was only discovered because the malware was buggy and affected the performance of the OpenSSH package. If they had been a little bit better at coding the backdoor, it would not have been discovered before being distributed to millions of Linux systems.

But we caught them, why is this so bad? It's bad because there's very little we can do to prevent this style of attack from being used over and over again until we can no longer trust any large open source software system.

If I just stay away from open-source systems like Linux, won't that be enough? No, because every major OS (Windows and Android and Mac and iOS included) include open source software for you. And regardless of how big those companies are, they do not have the people to review and vet every line of source code in the packages they include.

Won't my anti-virus/anti-malware software detect threats like this? Nope. If the malware is done carefully, it'll just look like part of the system.

Aren't you being just a little bit paranoid? Yes. But then I was also around when the Morris Worm took over the net because of a back-door that was introduced by the actual author of the widely used & installed Sendmail program.

"Just because you're paranoid doesn't mean they aren't after you" -- Author Unknown

Some more details:

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

In large corporations like Microsoft, Apple, or Google it's not inconceivable that a few employees have side gigs with national security agencies or organized crime.

These activities might even be condoned as a "cost of doing business."

Agreed, but at least the big companies have actual security people thinking about such things. The open source community appears (to me) to be much more trusting.

If I were the NSA, CIA, FBI, MI6, FSB, Mossad, MSS (China) and RGB (N. Korea) ... I'd make a priority to get moles in place to access all the larger clouds. End-to-end encryption doesn't protect you if the people making the software are compromised. Google docs, iCloud, AWS, Azure, etc. are all prime targets.

I guess the open source community should take pride in being successful enough to be a target too.

are already being released. If you use a recent Linux distribution just run your updates.