From yvoinov at gmail.com  Tue Apr  2 13:37:53 2024
From: yvoinov at gmail.com (Yuri)
Date: Tue, 2 Apr 2024 16:37:53 +0500
Subject: CSWxz and CVE-2024-3094
Message-ID: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>

Hi there,

what about CVE-2024-3094 and current version CSWxz?

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Just FYI.

WBR, Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4BEE94A33E3743A7.asc
Type: application/pgp-keys
Size: 2464 bytes
Desc: OpenPGP public key
URL: <https://lists.opencsw.org/pipermail/users/attachments/20240402/21d3b0c7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.opencsw.org/pipermail/users/attachments/20240402/21d3b0c7/attachment.asc>

From dam at opencsw.org  Tue Apr  2 14:03:35 2024
From: dam at opencsw.org (Dagobert Michelsen)
Date: Tue, 2 Apr 2024 14:03:35 +0200
Subject: CSWxz and CVE-2024-3094
In-Reply-To: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
References: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
Message-ID: <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>

Hi Yuri,

> Am 02.04.2024 um 13:37 schrieb Yuri via users <users at lists.opencsw.org>:
> what about CVE-2024-3094 and current version CSWxz?
> 
> https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Ihsan already prepared an updated package which should show up soon.


Best regards

  ? Dago

-- 
"You don't become great by trying to be great, you become great by wanting to do something,
and then doing it so hard that you become great in the process." - xkcd #896


From yvoinov at gmail.com  Tue Apr  2 14:15:34 2024
From: yvoinov at gmail.com (Yuri)
Date: Tue, 2 Apr 2024 17:15:34 +0500
Subject: CSWxz and CVE-2024-3094
In-Reply-To: <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
References: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
 <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
Message-ID: <ba6b8ed2-9bbc-477f-8c24-e38aa8a3467b@gmail.com>

Well, waiting for. Thank you.

02.04.2024 17:03, Dagobert Michelsen ?????:
> Hi Yuri,
>
>> Am 02.04.2024 um 13:37 schrieb Yuri via users <users at lists.opencsw.org>:
>> what about CVE-2024-3094 and current version CSWxz?
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> Ihsan already prepared an updated package which should show up soon.
>
>
> Best regards
>
>    ? Dago
>

From ihsan at opencsw.org  Tue Apr  2 14:22:58 2024
From: ihsan at opencsw.org (Ihsan Dogan)
Date: Tue, 2 Apr 2024 14:22:58 +0200
Subject: CSWxz and CVE-2024-3094
In-Reply-To: <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
References: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
 <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
Message-ID: <C30F4633-9B45-46E3-A95C-699D7AD445FF@opencsw.org>

Hi Yuri

> Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen <dam at opencsw.org>:
> 
>> what about CVE-2024-3094 and current version CSWxz?
>> 
>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> 
> Ihsan already prepared an updated package which should show up soon.

Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.



Regards

Ihsan

From noloader at gmail.com  Tue Apr  2 14:37:33 2024
From: noloader at gmail.com (Jeffrey Walton)
Date: Tue, 2 Apr 2024 08:37:33 -0400
Subject: CSWxz and CVE-2024-3094
In-Reply-To: <C30F4633-9B45-46E3-A95C-699D7AD445FF@opencsw.org>
References: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
 <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
 <C30F4633-9B45-46E3-A95C-699D7AD445FF@opencsw.org>
Message-ID: <CAH8yC8=kA1O0=60VAkN5sNALq4fd-jgg1f7QvjzS+7psrFNp-w@mail.gmail.com>

On Tue, Apr 2, 2024 at 8:23?AM Ihsan Dogan via users
<users at lists.opencsw.org> wrote:
>
> > Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen <dam at opencsw.org>:
> >
> >> what about CVE-2024-3094 and current version CSWxz?
> >>
> >> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> >
> > Ihsan already prepared an updated package which should show up soon.
>
> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.

Jia Tan started contributing to xz circa the development version 5.3.
To get untainted code, you have to go back to version 5.2. But rolling
back to version 5.2 means ABI and symbol breaks. If you don't want to
go back to 5.2, then it means you have to audit over 700 commits in
xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.

Jia Tan started influencing code before the persona (he/she/it?) had
check-in privileges. Also see
<https://www.mail-archive.com/xz-devel at tukaani.org/msg00571.html>.

Jeff

From ihsan at opencsw.org  Tue Apr  2 14:57:04 2024
From: ihsan at opencsw.org (Ihsan Dogan)
Date: Tue, 2 Apr 2024 14:57:04 +0200
Subject: CSWxz and CVE-2024-3094
In-Reply-To: <CAH8yC8=kA1O0=60VAkN5sNALq4fd-jgg1f7QvjzS+7psrFNp-w@mail.gmail.com>
References: <7683c2cc-f499-4de0-aabe-7294175b1c79@gmail.com>
 <553E6CD9-06CB-4CDB-B5E2-2FE0B50FCF0E@opencsw.org>
 <C30F4633-9B45-46E3-A95C-699D7AD445FF@opencsw.org>
 <CAH8yC8=kA1O0=60VAkN5sNALq4fd-jgg1f7QvjzS+7psrFNp-w@mail.gmail.com>
Message-ID: <ABF99B58-A2F8-40B6-8BAE-3525A8D92528@opencsw.org>

Hi

> Am 02.04.2024 um 14:37 schrieb Jeffrey Walton via users <users at lists.opencsw.org>:

>>>> what about CVE-2024-3094 and current version CSWxz?
>>>> 
>>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>>> 
>>> Ihsan already prepared an updated package which should show up soon.
>> 
>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.
> 
> Jia Tan started contributing to xz circa the development version 5.3.
> To get untainted code, you have to go back to version 5.2. But rolling
> back to version 5.2 means ABI and symbol breaks. If you don't want to
> go back to 5.2, then it means you have to audit over 700 commits in
> xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.
> 
> Jia Tan started influencing code before the persona (he/she/it?) had
> check-in privileges. Also see
> <https://www.mail-archive.com/xz-devel at tukaani.org/msg00571.html>.

Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain security issues, but at least it should not have any code from Jian Tian.




-Ihsan

From ihsan at opencsw.org  Tue Apr  2 15:29:48 2024
From: ihsan at opencsw.org (Ihsan Dogan)
Date: Tue, 2 Apr 2024 15:29:48 +0200
Subject: Statement on backdoor in xz package
Message-ID: <7BB1038C-932C-4E55-B1F2-B60B6B86915F@opencsw.org>

Recently, a backdoor [1] was discovered in the xz compression library. xz/liblzma [2] are packaged by the OpenCSW project and various other packages are depending on the liblzma library [3]. 

I have released today the version 5.6.0r529 to the repository, which is based on the 5.2.9. This is the last release before Jian Tian got active in the xz project [4] (Thanks to Jeffrey Walton for the hint). Be aware that the 5.2.9 release might contain other security related issues. 

The downgrade might break ABIs to other packages and we are currently verifying, if any packages are affected by the downgrade.

I am constantly monitoring the current development about xz and I will update the package accordingly.

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4 <https://www.openwall.com/lists/oss-security/2024/03/29/4>
[2] https://www.opencsw.org/packages/CSWxz/ <https://www.opencsw.org/packages/CSWxz/>
[3] https://www.opencsw.org/packages/liblzma5/ <https://www.opencsw.org/packages/liblzma5/>
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>




Regards

Ihsan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opencsw.org/pipermail/users/attachments/20240402/1f1dd4bf/attachment.html>