Hello Frank and all, On 2024-03-30 T 10:28 +0100 Frank Krüger via openSUSE Factory wrote:
Am 29.03.24 um 18:20 schrieb Ana Guerrero Lopez via openSUSE Factory:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we'll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team.
Thank you. According to the discussion at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024, in particular regarding the person who might have backdoored xz and their contributions in the past, there is a suggestion to revert to version 5.3.1 for the time being. Are there similar considerations at openSUSE? Thx.
according to my information, at this point in time the revert to 5.4 is sufficient, and a revert back to 5.3.1 not needed. Please do not forget to reboot after installing the downgraded packages. So long - MgE -- Matthias G. Eckermann, Head of Products and Partners SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nuernberg (HRB 36809, AG Nürnberg) GF: Ivo Totev, Andrew McDonald, Werner Knoblich