When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Microsoftemployee Andres Freund hassharedfinding odd symptoms in the xz package on Debian installations.
Freund noticed that ssh login was requiring a lot of CPU and decided to investigate leading to the discovery.
The malicious injection can be found only in the tarball download package of xz versions 5.6.0 and 5.6.1 libraries.
The Git distribution does not include the M4 Macro that triggers the code.
Without the merge into the build, the 2nd-stage file is innocuous.
Users are recommended to check for xz version 5.6.0 or 5.6.1 in the followingdistributionsand downgrade to 5.4.6.
If you cannot you should disable public facing SSH servers.
