Blog Security Important information regarding xz-utils (CVE-2024-3094)
March 30, 2024
1 min read

Important information regarding xz-utils (CVE-2024-3094)

Affected software not used for, GitLab Dedicated, or default self-hosted software packages.


GitLab is aware of CVE-2024-3094, where malicious code was back-doored into the xz-utils lossless compression software suite, affecting xz-utils Versions 5.6.0 and 5.6.1. Upon investigation, GitLab determined that it does not use the affected software version for, GitLab Dedicated, or default self-hosted software packages.

GitLab self-hosted customers should check locally installed packages to ensure that they do not have the packages xz or xz-utils Versions 5.6.0 or 5.6.1 installed. If it is installed, it may be safer to downgrade them to 5.4.x until the vendor provides a safe version, or confirms the latest versions are not affected. If possible, the hosts and containers with the potentially malicious version should be brought down and replaced in case they have been compromised.

Microsoft-owned GitHub has since disabled the XZ Utils repository maintained by the Tukaani Project "due to a violation of GitHub's terms of service."

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert