On 4/3/24 1:35 PM, Dominique Leuenberger wrote:
On Wed, 2024-04-03 at 19:03 +0200, Bernhard Voelker wrote:
On 3/29/24 18:20, Ana Guerrero Lopez via openSUSE Factory wrote:
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After the big update of 5000+ packages yesterday, is there a speicific reason for this additional downgrade today?
The following 3 packages are going to be downgraded: liblzma5 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1 liblzma5-x86-64-v3 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1 xz 5.6.1.revertto5.4-3.2 -> 5.6.1.revertto5.4-2.1
The overlay in the :Update channel has been removed, as the main channel has fully caught up.
The :Update is always one check-in count ahead.
Cheers, Dominique
Does this mean there is still a backdoor issue with xz 5.4-3.2 since it is being downgraded again to 5.4-2.1 ? -- Regards, Joe