A backdoor in xz-utils (CVE-2024-3094)

Andres Freund discovered on 2024-03-29 that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library (supply chain attack).

Right now no Progress Linux stable versions are known to be affected. Compromised packages were part of the graograman-backports distribution, with versions ranging from 5.6.0-0.1~progress7+u1 (uploaded on 2024-02-26), up to and including 5.6.1-1~progress7+u1. The package has been reverted on 2024-03-30 to use the upstream 5.4.5 code, which is versioned as 5.6.1+really5.4.5-1~progress7+u1.

Users running Progress Linux 7.99 (graograman-backports) are urged to update the xz-utils packages.

Both the Git server as well as the hidden-primary repository server for Progress Linux were running on graograman-backports with affected versions of xz-utils. After an audit of all Git repositories and Debian packages in our archive, we have not found any signs of compromise.

As far as the backdoor has been analyzed by the community, it allows for remote execute arbitrary code on affected systems. We have secured our systems and have not found any signs of a compromise, but as one of the repository signing keys was (passphrase protected) on one of the servers, we treat all data and systems as compromised and will clean-room resetup the entire infrastructure, replace all PGP and SSH keys, regenerate all Git repositories and rebuild all Debian packages. This is the only way to be completely sure about the integrity of the project.

For more information about the xz backdoor and the detailed status of the resetup please refer to its tracking page at:
https://progress-linux.org/info/xz-backdoor