Last Friday, a major vulnerability was reported on the xz library, used by some Linux distributions as a data compression program.
Specifically, the source code on Github was infected with malicious code properly obfuscated, allowing attackers to create a backdoor for ssh access to infected systems.
The CVE is currently listed by NIST with criticality 10.0, which is highest:
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
The vulnerability, discovered almost accidentally by a Microsoft developer, is present in versions 5.6.0 – 5.6.1
Therefore, it is recommended to downgrade the xz library version on systems with this release, or to uninstall it if not in use.
Below is also the official note from Red Hat:
https://access.redhat.com/security/cve/CVE-2024-3094