CSWxz and CVE-2024-3094
Ihsan Dogan
ihsan at opencsw.org
Thu Jun 13 11:05:53 CEST 2024
H
> Am 02.04.2024 um 14:57 schrieb Ihsan Dogan via users <users at lists.opencsw.org>:
>
>>>>> what about CVE-2024-3094 and current version CSWxz?
>>>>>
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
>>>>
>>>> Ihsan already prepared an updated package which should show up soon.
>>>
>>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should be out either today or tomorrow.
>>
>> Jia Tan started contributing to xz circa the development version 5.3.
>> To get untainted code, you have to go back to version 5.2. But rolling
>> back to version 5.2 means ABI and symbol breaks. If you don't want to
>> go back to 5.2, then it means you have to audit over 700 commits in
>> xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>.
>>
>> Jia Tan started influencing code before the persona (he/she/it?) had
>> check-in privileges. Also see
>> <https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html>.
>
> Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does contain security issues, but at least it should not have any code from Jian Tian.
I have pushed 5.6.2 today to the catalog, which is the first 5.6 xz release without the backdoor.
Regards
Ihsan
More information about the users
mailing list