Anaconda Not Affected by Malicious xz Code

What Happened?

A March 29, 2024 announcement brought to light malicious code that affects the latest version of the “xz” tools and libraries. This was an identified level 10 severity CVE. We want to take this opportunity to reassure you that Anaconda products and packages were not impacted by this incident and our customers are safe from this issue.

Why are Anaconda products and packages unaffected?

Data Science and AI Workbench (AE5/DSP) and Package Security Manager (Server)

Anaconda uses RHEL for the UBI base images to build Workbench and Package Security Manager. RedHat has confirmed that RHEL is unaffected. The vulnerability is present in certain Fedora releases. 

Anaconda.org

The affected xz library versions (5.6.0 and 5.6.1) are not present in any of the following anaconda, main, and conda-forge channels. 

• https://anaconda.org/anaconda/xz 
• https://anaconda.org/main/xz 
• https://anaconda.org/conda-forge/xz (not managed by Anaconda, but hosted on anaconda.org)

Based on available information as of April 1st, 2024, only xz‘s 5.6.0 and 5.6.1 source artifacts are affected, and as a result, Anaconda’s products are not known to be susceptible to this backdoor vulnerability. However, as this is an ongoing investigation in the software security community and we currently cannot be 100% certain that no other xz releases or other projects were affected; but rest assured that Anaconda will continue to update our customers and community of any further developments.

To learn more about how the conda-forge community responded to this issue, see the blog article they published. More information on Anaconda security can be found here.