Discovered a backdoor in xz. Security update for OpenMandriva users

As it might affect cooker and rolling users, please upgrade as soon as possible.

A backdoor in liblzma, part of the xz compressor has been discovered. The exact workings of the backdoor are not yet known; it is, however, clear that it targets OpenSSH servers and hijacks their authentication.

While the cooker and rolling branches of OpenMandriva Lx do include xz 5.6.1 and the problematic code is inside the source tarball, we currently believe that OpenMandriva is NOT vulnerable to this backdoor (the detect script provided by those who found the backdoor agrees with this assessment).
This is because the backdoor relies on implementation details that seem to exist only if openssh was built with gcc (OpenMandriva builds openssh with clang).

Users of Rock/5.0 are not affected because the version in 5.0 predates the addition of the malicious code.

However, given the high impact of this, and the fact that it’s hard to be 100% sure we’re safe, we’re releasing an update with the backdoor code removed (xz 5.6.1-2), and advise everyone to update the package quickly even if it is unlikely to have any effect.

We have also verified that the servers in our own infrastructure has not been compromised (the fact that we use aarch64 servers helps – the backdoor is x86 only).

Given this backdoor has been spread by someone with access to xz’s github account, it is possible that other malicious code is included there. Until xz code has been fully audited, we will reduce our reliance on xz. OpenMandriva is already the first distribution that has shifted to zstd compression for man pages and info pages, and among the first distributions to use zstd for the compression payload inside rpm packages.

Forum topic