Hi Andrei, Am Di., 2. Apr. 2024 um 19:20 Uhr schrieb Andrei Borzenkov <arvidjaar@gmail.com>:
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system. While providing patch on Tumbleweed for those users who are not aware they should not use YaST Online Update or similar on Tumbleweed is certainly very commendable, the way this patch was provided leaves something to desire. Users are greeted with strange patch with the name "reboot-really-needed" with the description "Critical update for openSUSE Tumbleweed" and "Please reboot your system NOW!". The text has no reference to xz or CVE and the whole looks like malware itself.
This is the test update, it is unrelated to the system upgrade that can be done via zypper dup. I agree we should probably not have it in the repo, but it's good to be able to test maintenance updates (but this path isn't used in TW). The description is generic because it is unrelated to the xz backdoor and is there to let Quality Assurance test functionality end-to-end. Greetings, Dirk