···11+---
22+title: "liblzma and xz version 5.6.0 and 5.6.1 are vulnerable to arbitrary code execution compromise"
33+date: 2024-03-29
44+hero:
55+ ai: "Photo by Xe Iaso, EOS R10 with 135mm Super-Multi-Coated Takumar f/3.5"
66+ file: xz-alert
77+ prompt: "A stop sign on a blue sky with the words 'security alert' underneath it"
88+---
99+1010+This is a new situation and we are still gathering information. Here is what we know so far:
1111+1212+The [xz/liblzma project](https://github.com/tukaani-project/xz) has released versions 5.6.0 and 5.6.1.
1313+1414+The combination of this and patches made by some distributions to the interactions between liblzma, libsystemd, and sshd have resulted in a situation where an attacker can compromise a system by sending a malicious payload to an sshd server.
1515+1616+We are lucky. This only affects AMD64 Linux systems. The vulnerability is in a specific RSA function. The exploit is in the wild. This is also a very new version of xz/liblzma, so it is not widely deployed yet. This is also unlikely to affect anything other than Glibc (because of glibc IFUNC support), so if you use [musl](https://musl.libc.org/) or another libc implementation, you are likely safe.
1717+1818+If you are using a distribution that has not yet released xz 5.6.0 or 5.6.1, you are likely safe.
1919+2020+If you are running Debian sid, Fedora 41, or Fedora Rawhide, run updates now.
2121+2222+Here are the distros where it is likely to be released (according to [repology](https://repology.org/project/xz/versions)):
2323+2424+- Alpine Edge
2525+- Arch
2626+- Cygwin
2727+- Exherbo
2828+- Gentoo
2929+- Homebrew
3030+- KaOS
3131+- MacPorts
3232+- Manjaro Testing
3333+- NixOS Unstable/nixpkgs unstable
3434+- OpenIndiana
3535+- OpenMamba
3636+- OpenMandriva Rolling
3737+- Parabola
3838+- PCLinuxOS
3939+- Pisi Linux
4040+- pkgsrc current
4141+- Ravenports
4242+- Slackware current
4343+- Solus
4444+- Termux
4545+- Wikidata
4646+4747+If you are using one of these distributions, you should check to see if you are using xz version 5.6.0 or 5.6.1. If you are, you should downgrade to 5.4.6. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.
4848+4949+At this time, we believe that version 5.4.6 is not vulnerable to this exploit. If you are using a different version, you should check with your distribution's security mailing list to see if you are vulnerable. If you are not already subscribed to your distribution's security mailing list, you should do so now.
5050+5151+Here is how you can tell if you're running the affected version:
5252+5353+```
5454+xz --version
5555+```
5656+5757+Here is what the output on the vulnerable version looks like:
5858+5959+```
6060+$ xz --version
6161+xz (XZ Utils) 5.6.1
6262+liblzma 5.6.1
6363+```
6464+6565+Stay tuned for more information. [Red Hat's security advisory](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users) may be helpful.
6666+6767+---
6868+6969+Special thanks to titanous for pre-vetting this before it went live.