I just read about the backdoor on xz-utils from CVE-2024-3094 (not yet synced to Launchpad CVE, I can't use the Link to CVE feature) and I wanted to know more about Ubuntu's status.
Please avoid syncing any vulnerable version. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3094 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.launchpad.net/bugs/2055422 Title: Please sync xz-utils 5.6.0-0.2 from Debian experimental Status in xz-utils package in Ubuntu: New Bug description: Xz-utils 5.6.0 was released last Friday. It features a much faster decompression code on all platforms but on x86_64 in particular, it is 60% faster in my testing. It also aligns better current practices of enabling multi-threading by default (always with a default memory limit of 25% of the system physical memory). Sebastian Andrzej Siewior has uploaded it to experimental and after a few fixes for integration (due to extra output on stderr in particular), has uploaded xz-utils 5.6.0-0.2. I expect tests to pass now considering they almost all succeeded with the first upload. I am aware of tweaks to other packages too but I'm not sure they will actually be needed with this new upload and since they relate to pristine-tar and/or dpkg, I think it's probably better to be sure first due to the ongoing migrations. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2055422/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
