Reading Time: 2 minutes

XZ Utils (formerly LZMA Utils) provides a general-purpose data-compression library plus command-line tools.

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the XZ Utils, which would enable an attacker to silently gain access to a targeted affected system.

CVE-2024-3094 is a vulnerability discovered in the open-source library XZ Utils that stems from malicious code that was pushed into the library by one of its maintainers.

It’s “funny” how a small piece of software can impact a lot of services and a lot of systems. But was already happened in the past (for example with OpenSSL, that is not so small, but still used by a lot of different other software).

Maybe the Bazaar model does not always fit so good with all the security and quality aspects that a software need to have. In theory everybody should see some possible issues in OpenSource software… in practice it does not (always) happen!

For more information see:

Share