Exactly two months ago, the cyberspace shuddered from the release of an urgent warning regarding the malicious code in XZ Utils, which turned out to be a backdoor added by an attacker under the pseudonym Jia Tan. Presumably the Chinese hacker, or even a whole group of hackers, managed to arrange users to her and become a co-developer of the project.
Only two months later the leading developer XZ Lass Collin finally released version XZ 5.6.2 with a fully removed backdoor.
XZ Utils is a cross-platform set of data compression programs. They are used mainly in Linux to reduce the size of the files, which helps to save space on the disk and accelerate data transfer over the network. The main component of XZ Utils is the LibLzma library, which provides LZMA data compression algorithm.
The vulnerability of the CVE-2024-3094, which was present in previous versions 5.6 and 5.6.1, was completely eliminated in the fresh release. Meanwhile, the investigation of the situation with the backdoor continues, and everyone can follow the updates at special page XZ.
Lass Collin also said that the ill-fated Jia Tan, as a supporting developer in XZ, will be replaced by Sam James.
In addition to the removal of the backdoor, XZ Utils users are advised to update to the latest version to ensure their systems are secure. Backdoors can be implemented in software both at the stage of its development and during its operation (for example, through malicious software). They can be used for espionage and remote control of the system or device.