SUSE addresses supply chain attack against xz compression library

SUSE received notification of a supply chain attack against the “xz” compression tool and “liblzma5” library.

Background

Security Researcher Andres Freund reported to Debian that the xz / liblzma library had been backdoored.

This backdoor was introduced in the upstream github xz project with release 5.6.0 in February 2024.

For the statement from the openSUSE project please refer to https://news.opensuse.org/2024/03/29/xz-backdoor/
SUSE Linux Enterprise and Leap are built in isolation from openSUSE. Code, functionality and characteristics of Tumbleweed are not automatically introduced in SUSE Linux Enterprise and/or Leap. It has been established that the malicious file introduced into Tumbleweed is not present in SUSE Linux Enterprise and/or Leap. Additionally, SUSE has verified that SLE BCI, SUSE Rancher, SUSE Edge and SUSE Liberty Linux products or offerings are not affected. SUSE has never introduced XZ releases 5.6.0 or 5.6.1 to any of the mentioned product offerings except openSUSE Tumbleweed. SUSE will continue to monitor this issue, and make any updates if and as necessary.

Links

• blog post from the openSUSE Team
• Report from Researcher Andres Freund
• CVE-2024-3094