CSWxz and CVE-2024-3094
Jeffrey Walton
noloader at gmail.com
Tue Apr 2 14:37:33 CEST 2024
On Tue, Apr 2, 2024 at 8:23 AM Ihsan Dogan via users
<users at lists.opencsw.org> wrote:
>
> > Am 02.04.2024 um 14:03 schrieb Dagobert Michelsen <dam at opencsw.org>:
> >
> >> what about CVE-2024-3094 and current version CSWxz?
> >>
> >> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> >
> > Ihsan already prepared an updated package which should show up soon.
>
> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.
Jia Tan started contributing to xz circa the development version 5.3.
To get untainted code, you have to go back to version 5.2. But rolling
back to version 5.2 means ABI and symbol breaks. If you don't want to
go back to 5.2, then it means you have to audit over 700 commits in
xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.
Jia Tan started influencing code before the persona (he/she/it?) had
check-in privileges. Also see
<https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html>.
Jeff
More information about the users
mailing list