Summary: The latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries. Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.
It’s also at https://git.tukaani.org.