XZ Utils (formerly LZMA Utils) provides a general-purpose data-compression library plus command-line tools.
March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the XZ Utils, which would enable an attacker to silently gain access to a targeted affected system.
CVE-2024-3094 is a vulnerability discovered in the open-source library XZ Utils that stems from malicious code that was pushed into the library by one of its maintainers.
It’s “funny” how a small piece of software can impact a lot of services and a lot of systems. But was already happened in the past (for example with OpenSSL, that is not so small, but still used by a lot of different other software).
Maybe the Bazaar model does not always fit so good with all the security and quality aspects that a software need to have. In theory everybody should see some possible issues in OpenSource software… in practice it does not (always) happen!
For more information see: