Yesterday, Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries - at this time, only Fedora 41 and Fedora Rawhide contain these libraries. This vulnerability was assigned CVE-2024-3094. Although Fedora 40 beta contained the 5.6 version of xz in an update, the build environment prevents the injection from correctly occurring, and has not been shown to be compromised. Fedora 40 has now reverted to the 5.4.x versions of xz. PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA 41 OR FEDORA RAWHIDE INSTANCES for work or personal activity.
https://assets.chaos.social/media_attachments/files/112/180/021/693/112/494/original/71e9cdb7c997e045.png