xz security alert and CVE-2024-3094
Hi, If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system. The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4. After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system. Hopefully we'll have soon more detailed information about this CVE. Have a nice weekend! Ana from the openSUSE release team.
On 3/29/24 12:22, Ana Guerrero via openSUSE Users wrote:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we'll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team.
OUCH FAQ on the xz-utils backdoor https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 -- David C. Rankin, J.D.,P.E.
Am 29.03.24 um 18:22 schrieb Ana Guerrero via openSUSE Users:
Hi,
If you're using an up-to-date Tumbleweed, please make sure to update as soon as possible your system.
The latest versions of "xz" (5.6.0 and 5.6.1) contained malicious code ( refer to CVE-2024-3094 ) and the package in Tumbleweed has been reverted back to version 5.4.
After reading this mail, please update your system and ensure you're downgrading xz to the version *5.6.1.revertto5.4. *This version despite**itsname is version 5.4. Last step is reboot your system.
Hopefully we'll have soon more detailed information about this CVE.
Have a nice weekend!
Ana from the openSUSE release team. There was some pressure from the perpetrators to include their security holes in certain distributions.
How are the software packages included in Tumbleweed? Is there also the possibility, that pressure may lead to including packages into Suse Tumbleweed? German: "...sondern auch Linux-Distributionen dazu gedrängt, die von ihm präparierten Versionen der Pakete schnellstmöglich in ihre Systeme zu übernehmen." https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-... "Genau darauf drängte jedoch, wie aktuelle Analysen zeigen, eine Reihe von Personen sehr aktiv; vermutlich handelt es sich dabei wie bei Jia Tan ebenfalls um künstliche Personas der Angreifer." https://www.heise.de/hintergrund/Die-xz-Hintertuer-das-verborgene-Oster-Dram... BR
Am 05.04.24 um 19:42 schrieb Andrei Borzenkov:
On 05.04.2024 19:14, Peter Maffter via openSUSE Users wrote:
How are the software packages included in Tumbleweed? This is being discussed right now where it belongs - on Factory list.
I was reading "xz security alert and CVE-2024-3094" at https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4... but did not quite find the on spot article, showing, which people decide which software package versions come into Tumbleweed. But maybe there is a simple webpage, which I did not find? BR and thanks
On 05.04.2024 22:48, Peter Maffter via openSUSE Users wrote:
Am 05.04.24 um 19:42 schrieb Andrei Borzenkov:
On 05.04.2024 19:14, Peter Maffter via openSUSE Users wrote:
How are the software packages included in Tumbleweed? This is being discussed right now where it belongs - on Factory list.
I was reading "xz security alert and CVE-2024-3094" at https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/4... but did not quite find the on spot article, showing, which people decide which software package versions come into Tumbleweed.
But maybe there is a simple webpage, which I did not find?
BR and thanks https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Y...
participants (4)
-
Ana Guerrero -
Andrei Borzenkov -
David C. Rankin -
Peter Maffter