As part of the baseline work, the Apertis core team monitors security issues and updates. On March 28, 2024, a backdoor in upstream xz/liblzma project [1] has been found compromising ssh servers.

This issue was first introduced in a stable xz-utils release since 5.6.0 which is found in Debian experimental, Debian Testing, and Debian Unstable. However, none of the Apertis releases are affected. The current Apertis 2024.0, which was just released, is based on Debian 12 (Bookworm). Neither Debian Bookworm or Apertis 2024.0 were affected. They rely on a previous version of the xz/liblzma project.

For reference, the version the xz/liblzma project (xz-utils) included in the latest Apertis release is based on: 5.4.1-0.2.

Even if this issue is not affecting Apertis, the impact serves as an important reminder about the importance of following best practices regarding security reports and updates.

Regards,

Walter

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3094