Debian Unstable + Testing, Fedora 41 + Rawhide compromised via xz backdoor

If you’re running relays on these versions, update as soon as possible, or better yet reinstall from fresh clean images.


This was only discovered in the Tarball packages and didn’t make it to official production repositories. The affected version of xz is 5.6.0 and 5.6.1. To check the current version installed type ‘xz --version’ in the command line. I’m on Debian testing and it’s still on 5.4.5

No. Version 5.6.0 was in Unstable since 2024-02-26, in Testing since 2024-03-05, got replaced with 5.6.1 on Unstable on 2024-03-27, and finally downgraded to 5.4.5 on both ~yesterday. Read the linked debian annoucement.

1 Like