Am 29.03.24 um 18:20 schrieb Ana Guerrero Lopez via openSUSE Factory:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we'll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team. Thank you. According to the discussion at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024, in particular regarding the person who might have backdoored xz and their contributions in the past, there is a suggestion to revert to version 5.3.1 for the time being. Are there similar considerations at openSUSE? Thx.
Regards, Frank