Am 29.03.24 um 18:22 schrieb Ana Guerrero via openSUSE Users:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we'll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team. There was some pressure from the perpetrators to include their security holes in certain distributions.
How are the software packages included in Tumbleweed? Is there also the possibility, that pressure may lead to including packages into Suse Tumbleweed? German: "...sondern auch Linux-Distributionen dazu gedrängt, die von ihm präparierten Versionen der Pakete schnellstmöglich in ihre Systeme zu übernehmen." https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-... "Genau darauf drängte jedoch, wie aktuelle Analysen zeigen, eine Reihe von Personen sehr aktiv; vermutlich handelt es sich dabei wie bei Jia Tan ebenfalls um künstliche Personas der Angreifer." https://www.heise.de/hintergrund/Die-xz-Hintertuer-das-verborgene-Oster-Dram... BR