Re: xz security alert and CVE-2024-3094

On 3/29/24 18:20, Ana Guerrero Lopez via openSUSE Factory wrote:

The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.

After the big update of 5000+ packages yesterday, is there a speicific reason for this additional downgrade today? The following 3 packages are going to be downgraded: liblzma5 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1 liblzma5-x86-64-v3 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1 xz 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1 Thanks & have a nice day, Berny