On 29.03.2024 20:20, Ana Guerrero Lopez via openSUSE Factory wrote:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
While providing patch on Tumbleweed for those users who are not aware they should not use YaST Online Update or similar on Tumbleweed is certainly very commendable, the way this patch was provided leaves something to desire. Users are greeted with strange patch with the name "reboot-really-needed" with the description "Critical update for openSUSE Tumbleweed" and "Please reboot your system NOW!". The text has no reference to xz or CVE and the whole looks like malware itself. https://forums.opensuse.org/t/reboot-really-needed-unknown-author/173671 While it is probably too late now, may be next time such emergency patch can be presented better without scaring users.