SUSE addresses supply chain attack against xz compression library | SUSE Communities

SUSE addresses supply chain attack against xz compression library

Share
Share

SUSE received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.

Background

Security Researcher Andres Freund reported to Debian that the xz / liblzma library had been backdoored.

This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.

For the statement from the openSUSE project please refer to https://news.opensuse.org/2024/03/29/xz-backdoor/
SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap. Additionally, SUSE has verified that SLE BCI, SUSE Rancher, SUSE Edge and SUSE Liberty Linux products or offerings are not affected. SUSE will continue to monitor this issue, and make any updates if and as necessary.

Links

Share
Avatar photo
5,164 views