Backdoor found in xz package source

On March 29, Alpine was notified of a possible backdoor in XZ Utils, the source project of our xz package. This backdoor is known to be present in the source code for the 5.6.0 and 5.6.1 releases using modified build scripts that are not present in the git repository. Packages built against the 5.6.1 source code are present in edge, but not in any of the stable releases.

We presently believe Alpine was not affected in practice. The backdoor targeted sshd binaries linked with libsystemd and glibc, which is not the case in Alpine’s openssh-server package.

Out of a preponderance of caution, we have rebuilt the xz package with our own generated build scripts directly from the git repository, which has been confirmed to remove the backdoor enablement code. Accordingly, we recommend that users who are on edge upgrade immediately to xz-5.6.1-r2 or newer to ensure they are not exposed to this backdoor.

This issue is tracked in Alpine’s security tracker as CVE-2024-3094.