A security flaw has been found in the xz project that, under certain conditions, can work as a backdoor for world-facing openSSH servers.
This vulnerability is not present in any of the Torizon OS (formerly TorizonCore) releases.
The affected xz versions are xz 5.6.0 and xz 5.6.1. However, our current Torizon OS releases follow the upstream OpenEmbedded project, which currently ships version 5.2.6.
On official Toradex Containers, we strictly ship Debian Stable (currently codenamed ‘Bookworm’), which was also never affected by this vulnerability.
No action from our customers is needed.
You may choose to manually verify this information. If so, you can:
- Refer to our manifest files.
- Use our Software Bill of Materials for both the Yocto Project and Containers.
- Refer to the official Debian CVE page.
In the unlikely event that Torizon OS is affected by a future vulnerability, you will be able to securely and remotely update all your field devices to a newer version containing the fix. We provide frequent releases with long-term support, enabling you to keep your production fleet safe without any maintenance downtime.