[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-factory
Subject:    Re: xz security alert and CVE-2024-3094
From:       Felix Miata <mrmazda () earthlink ! net>
Date:       2024-03-30 2:12:22
Message-ID: 4ddbe63c-57ee-5ac2-4eca-5573c0bc2cdf () earthlink ! net
[Download RAW message or body]

Michal Suchánek composed on 2024-03-29 23:39 (UTC+0100):

> On Fri, Mar 29, 2024 at 06:20:27PM +0100, Ana Guerrero Lopez wrote:

>> If you're using an up-to-date Tumbleweed, please make sure to update as soon
>> as possible your system.

>> The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code (
>> refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted
>> back to version 5.4.

>> After reading this mail, please update your system and ensure you're
>> downgrading xz to the version *5.6.1.revertto5.4. *This version
>> despite**itsname is version 5.4. Last step is reboot your system.

>> Hopefully we'll have soon more detailed information about this CVE.

> Somewhat useful information seems to be:

> https://www.openwall.com/lists/oss-security/2024/03/29/4
> https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Current installed Slowroll xz rpm comes from xz source package 5.4.6-1.2. Is any
current Slowroll admin action required or to be avoided?
-- 
Evolution as taught in public schools is, like religion,
	based on faith, not based on science.

 Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!

Felix Miata
[prev in list] [next in list] [prev in thread] [next in thread]