Without a doubt, the deliberate infiltration of backdoored upstream XZ tarballs into the Debian sid repository a few days ago, allowing remote SSH access without authentication, sparked a real storm in the Linux community.
This security vulnerability, CVE-2024-3094, didn’t just affect Debian sid. It also impacted several other Linux distributions, including certain versions of Fedora, Arch, openSUSE Tumbleweed, Kali, and more.
In light of this, the Debian project has announced a delay in releasing its upcoming version 12.6, initially planned for April 6. This decision comes as the team undertakes a thorough investigation involving assessing its potential impact on the Debian Archive, a comprehensive collection of Debian software packages.
Although there is currently no evidence to suggest that any stable versions of Debian are affected by this issue, ensuring that the vulnerability does not affect the distribution’s vast ecosystem of applications and services is crucial.
It’s not surprising that Debian, known for prioritizing security and stability, leaves nothing to chance – a commitment that makes it a preferable choice for a dependable server operating system.
So, the release of the sixth update to the ‘Bookworm’ 12 series will be postponed until devs thoroughly check every detail of CVE-2024-3094 to ensure all possible risks to users are entirely taken care of. Currently, the Debian project hasn’t set a new date for the 12.6 release.
This approach fits well with their usual practice of releasing updates only when they’re fully ready.
Meanwhile, Lasse Collin, one of the two leading developers of XZ, posted information highlighting that Jia Tan has created and signed all backdoored packages. At the moment, the reasons behind his actions remain utterly unclear.
As always, we’re closely monitoring the situation and will update you whenever anything changes.
