Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

Red Hat and other vendors alerted that XZ Utils versions 5.6.0 and 5.6.1 were backdoored (CVE-2024-3094, CVSS 10.0) via an obfuscated prebuilt object hidden in source commits, resulting in a modified liblzma that can intercept calls and potentially inject code into OpenSSH (sshd) to allow pre-auth remote payload execution; Fedora 41 and Rawhide packages are known impacted, GitHub disabled the repository, CISA issued guidance, and users are advised to downgrade to a known-good XZ version.