A supply chain compromise has been discovered affecting the XZ compression library with the apparent purpose of implanting a backdoor into sshd on systemd driven distributions. Current state of analysis indicates that no version of UCS is affected. The same applies to UCS based container images used e.g. in Nubus, openDesk and related products and also to the UCS 5.2 Beta 1; all of these Univention products are not affected (status: Vulnerable code not present).
The vulnerability is tracked as CVE-2024-3094 and the linked Debian Security tracker page contains links to the usual places like NVD etc.
Links
- [SECURITY] [DSA 5649-1] xz-utils security update
- Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA
- oss-sec: backdoor in upstream xz/liblzma leading to ssh server compromise
- xz-utils backdoor situation (CVE-2024-3094) · GitHub
- research!rsc: Timeline of the xz open source attack