XZ 5.6.2 Released With The Frightening Backdoor Removed

It was two months ago today that an urgent security alert was issued over XZ being hit by malicious code that turned out to be a backdoor within liblzma added by a bad actor that worked his way into XZ co-maintainership. Longtime XZ developer Lasse Collin is back at the helm and has been auditing the prior XZ commits and today released XZ 5.6.2 with the backdoor completely removed.

Lasse Collin released XZ 5.6.2 today with the CVE-2024-3094 backdoor cleared out that was present in the former v5.6 and v5.6.1 releases. The XZ backdoor situation continues to be investigated and those interested in the ongoing updates can see this XZ backdoor page for the latest information.

Lasse Collin also announced that Sam James has stepped up as a supporting maintainer moving forward for the XZ project.

The XZ 5.6.2 release also has a few bug fixes, fixes for building with the latest NVIDIA HPC SDK (compiler), and also dropping the GNU Indirect Function (IFUNC) support. The IFUNC support was used by the XZ backdoor but the removal of this code is coming because the performance benefits of using it were too small while adding much complexity. XZ 5.4.7 and XZ 5.2.13 were also released today with various bug fixes but it's only the XZ 5.6 series that was impacted by the backdoor situation.

The new XZ point releases are available from GitHub.