H > Am 02.04.2024 um 14:57 schrieb Ihsan Dogan via users > <[email protected]>: > >>>>> what about CVE-2024-3094 and current version CSWxz? >>>>> >>>>> https://nvd.nist.gov/vuln/detail/CVE-2024-3094 >>>> >>>> Ihsan already prepared an updated package which should show up soon. >>> >>> Yes, I am on it. I am preparing a rollback to the last 5.4 release. Should >>> be out either today or tomorrow. >> >> Jia Tan started contributing to xz circa the development version 5.3. >> To get untainted code, you have to go back to version 5.2. But rolling >> back to version 5.2 means ABI and symbol breaks. If you don't want to >> go back to 5.2, then it means you have to audit over 700 commits in >> xz. Also see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024#5>. >> >> Jia Tan started influencing code before the persona (he/she/it?) had >> check-in privileges. Also see >> <https://www.mail-archive.com/[email protected]/msg00571.html>. > > Thanks for the hint. In this case, I am going back to 5.2.9. 5.2.9 does > contain security issues, but at least it should not have any code from Jian > Tian.
I have pushed 5.6.2 today to the catalog, which is the first 5.6 xz release without the backdoor. Regards Ihsan
