On 30.03.2024 01:49, arekm wrote: > commit b369fe78b7b4a02e900fb6fe7ac035a9bba39436 > Author: Arkadiusz MiĆkiewicz <ar...@maven.pl> > Date: Fri Mar 29 23:50:59 2024 +0100 > > Revert back to 5.4.6 as 5.6.x are BACKDOORED! > https://www.openwall.com/lists/oss-security/2024/03/29/4 > > xz.spec | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > --- > diff --git a/xz.spec b/xz.spec > index a36b5df..8094d11 100644 > --- a/xz.spec > +++ b/xz.spec > @@ -19,8 +19,8 @@ Summary: LZMA Encoder/Decoder > Summary(pl.UTF-8): Koder/Dekoder LZMA > Name: xz > Version: 5.4.6 > -Release: 1 > -Epoch: 1 > +Release: 2 > +Epoch: 2 > License: LGPL v2.1+, helper scripts on GPL v2+ > Group: Applications/Archiving > Source0: > https://github.com/tukaani-project/xz/releases/download/v%{version}/%{name}-%{version}.tar.bz2
Some notes from what I've gathered so far from a rather lengthy HN thread: - main backdoor appears to affect /usr/sbin/sshd on x86_64 with liblzma being pulled in as an indirect dependency. liblzma can be loaded by libsystemd if sshd was built with additional systemd patches which PLD does not use (unlike Debian and Fedora). So _possibly_ PLD is not affected - despite that some claims start to surface that going back to 5.4.6 might not be enough so let's see how this drama develops _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
