XZ Backdoor Incident New Version Released and Updates

TapTechNews May 31, after 2 months of the XZ backdoor incident, project maintainer LasseCollin released the new version XZ5.6.2 today and completely removed the backdoor code CVE-2024-3094 in v5.6 and v5.6.1.

Collin said that the XZ backdoor incident is currently being investigated, and users interested in continuous updates can check the XZ backdoor page to learn the latest information.

TapTechNews also learned from the report that LasseCollin announced the acceptance of SamJames as the new support maintainer of the XZ project.

The XZ5.6.2 version also fixed some bugs, corrected the problem of building with the latest NVIDIA HPC SDK (compiler), and cancelled the support for GNU indirect functions (IFUNC).

The XZ backdoor had used IFUNC support, but since the performance advantage brought by using it was too small and at the same time added a lot of complexity, so this code was about to be deleted.

Officials also released XZ5.4.7 and XZ5.2.13 today, which contain various bug fixes, but only the XZ5.6 series are affected by the backdoor.

Related reading:

Earthquake in the Linux community: The mainstream compression tool XZ was exposed to have a backdoor, and Red Hat, Debian and other companies issued announcements requiring urgent suspension.