CSWxz and CVE-2024-3094
Ihsan Dogan
ihsan at opencsw.org
Tue Apr 2 14:57:04 CEST 2024
Hi
> Am 02.04.2024 um 14:37 schrieb Jeffrey Walton via users <users at lists.opencsw.org>:
>>>> what about CVE-2024-3094 and current version CSWxz?
>>>>
>>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>>>
>>> Ihsan already prepared an updated package which should show up soon.
>>
>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.
>
> Jia Tan started contributing to xz circa the development version 5.3.
> To get untainted code, you have to go back to version 5.2. But rolling
> back to version 5.2 means ABI and symbol breaks. If you don't want to
> go back to 5.2, then it means you have to audit over 700 commits in
> xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.
>
> Jia Tan started influencing code before the persona (he/she/it?) had
> check-in privileges. Also see
> <https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html>.
Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain security issues, but at least it should not have any code from Jian Tian.
-Ihsan
More information about the users
mailing list