Post Syndicated from corbet original https://lwn.net/Articles/967180/

Andres Freund has posted a
detailed investigation into a backdoor that was shipped with versions
5.6.0 and 5.6.1 of the xz compression utility. It appears that the
malicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in the
injected code, to allow unauthorized access. Since this is running
in a pre-authentication context, it seems likely to allow some form
of access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems for
the bad version would be a good idea.