[prev in list] [next in list] [prev in thread] [next in thread]
List: opensuse-factory
Subject: Re: xz security alert and CVE-2024-3094
From: Dirk_Müller_via_openSUSE_Factory <factory () lists ! opensuse ! org>
Date: 2024-03-30 7:56:46
Message-ID: CAN6Ha9ZBZ1yqJ0QfBekbCs72yJsnDwgJUkWfRPB8xqDT5wiHOA () mail ! gmail ! com
[Download RAW message or body]
Hi Felix,
Slowroll is not affected by this backdoor. No action is necessary.
Greetings,
Dirk
Felix Miata <mrmazda@earthlink.net> schrieb am Sa., 30. M=C3=A4rz 2024, 03:=
13:
> Michal Such=C3=A1nek composed on 2024-03-29 23:39 (UTC+0100):
>
> > On Fri, Mar 29, 2024 at 06:20:27PM +0100, Ana Guerrero Lopez wrote:
>
> >> If you're using an up-to-date Tumbleweed, please make sure to update a=
s
> soon
> >> as possible your system.
>
> >> The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code=
(
> >> refer to CVE-2024-3094 ) and the package in Tumbleweed has been revert=
ed
> >> back to version 5.4.
>
> >> After reading this mail, please update your system and ensure you're
> >> downgrading xz to the version *5.6.1.revertto5.4. *This version
> >> despite**itsname is version 5.4. Last step is reboot your system.
>
> >> Hopefully we'll have soon more detailed information about this CVE.
>
> > Somewhat useful information seems to be:
>
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> > https://boehs.org/node/everything-i-know-about-the-xz-backdoor
>
> Current installed Slowroll xz rpm comes from xz source package 5.4.6-1.2.
> Is any
> current Slowroll admin action required or to be avoided?
> --
> Evolution as taught in public schools is, like religion,
> based on faith, not based on science.
>
> Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!
>
> Felix Miata
>
[Attachment #3 (text/html)]
<div dir="auto"><div>Hi Felix,</div><div dir="auto"><br></div><div \
dir="auto">Slowroll is not affected by this backdoor. No action is \
necessary.</div><div dir="auto"><br></div><div dir="auto"><br></div><div \
dir="auto">Greetings,</div><div dir="auto">Dirk<br><br><div class="gmail_quote" \
dir="auto"><div dir="ltr" class="gmail_attr">Felix Miata <<a \
href="mailto:mrmazda@earthlink.net">mrmazda@earthlink.net</a>> schrieb am Sa., 30. \
März 2024, 03:13:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Michal Suchánek composed on \
2024-03-29 23:39 (UTC+0100):<br> <br>
> On Fri, Mar 29, 2024 at 06:20:27PM +0100, Ana Guerrero Lopez wrote:<br>
<br>
>> If you're using an up-to-date Tumbleweed, please make sure to update as \
soon<br> >> as possible your system.<br>
<br>
>> The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious \
code (<br> >> refer to CVE-2024-3094 ) and the package in Tumbleweed has been \
reverted<br> >> back to version 5.4.<br>
<br>
>> After reading this mail, please update your system and ensure you're<br>
>> downgrading xz to the version *5.6.1.revertto5.4. *This version<br>
>> despite**itsname is version 5.4. Last step is reboot your system.<br>
<br>
>> Hopefully we'll have soon more detailed information about this CVE.<br>
<br>
> Somewhat useful information seems to be:<br>
<br>
> <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" \
rel="noreferrer noreferrer" \
target="_blank">https://www.openwall.com/lists/oss-security/2024/03/29/4</a><br> > \
<a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor" \
rel="noreferrer noreferrer" \
target="_blank">https://boehs.org/node/everything-i-know-about-the-xz-backdoor</a><br>
<br>
Current installed Slowroll xz rpm comes from xz source package 5.4.6-1.2. Is any<br>
current Slowroll admin action required or to be avoided?<br>
-- <br>
Evolution as taught in public schools is, like religion,<br>
based on faith, not based on science.<br>
<br>
Team OS/2 ** Reg. Linux User #211409 ** a11y rocks!<br>
<br>
Felix Miata<br>
</blockquote></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic