narc0tic_bird , 3 months ago

Fedora 39 and 40 (which is still in beta) uses xz 5.4. Fedora 41/rawhide (essentially the development branch) was affected it seems: access.redhat.com/security/cve/CVE-2024-3094. CentOS Stream and RHEL have way more outdated packages than that, so they were never vulnerable to this backdoor.

openSUSE Tumbleweed (their rolling release) was affected: news.opensuse.org/2024/03/29/xz-backdoor/, Enterprise or Leap were unaffected.