CSWxz and CVE-2024-3094

Ihsan Dogan ihsan at opencsw.org
Tue Apr 2 14:57:04 CEST 2024


> Am 02.04.2024 um 14:37 schrieb Jeffrey Walton via users <users at lists.opencsw.org>:

>>>> what about CVE-2024-3094 and current version CSWxz?
>>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>>> Ihsan already prepared an updated package which should show up soon.
>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.
> Jia Tan started contributing to xz circa the development version 5.3.
> To get untainted code, you have to go back to version 5.2. But rolling
> back to version 5.2 means ABI and symbol breaks. If you don't want to
> go back to 5.2, then it means you have to audit over 700 commits in
> xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.
> Jia Tan started influencing code before the persona (he/she/it?) had
> check-in privileges. Also see
> <https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html>.

Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain security issues, but at least it should not have any code from Jian Tian.


More information about the users mailing list