Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package

Current status of CVE-2024-3094 as confirmed by each distro advisory:

Fedora - Fedora 41 and Fedora Rawhide are affected (packages `xz-5.6.0-*` OR `xz-5.6.1-*`).

Debian - Affected in some release

Red Hat - No versions of Red Hat Enterprise Linux are affected.

Ubuntu - Affected in some release

OpenSUSE Tumbleweed and openSUSE MicroOS - affected

Kali Linux - Affected 

How to check your xz version?

quick check: `xz -V` 

Action:      

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable

Reference:

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html?m=1

https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils  

https://news.opensuse.org/2024/03/29/xz-backdoor/

https://www.kali.org/blog/about-the-xz-backdoor/

Supply Chain Attack - cve-2024-3094 - CVSS 10 - xz-utils package