liblzma version

[wwuck]

Describe the solution you'd like

I've noticed that the linuxfabrik-monitoring-plugins deb package version 2023112901-1 contains liblzma.so.5.

Which version of liblzma is this? I would like to confirm that this library file is not vulnerable to CVE-2024-3094.

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

https://access.redhat.com/security/cve/CVE-2024-3094

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

https://security-tracker.debian.org/tracker/CVE-2024-3094

https://lists.debian.org/debian-security-announce/2024/msg00057.html

Additional context

No response

[markuslf]

All package builds use the official distros, so the version of the shipped libs will always match those on vanilla Debian/Ubuntu/RHEL. The zip and tarballs are currently (20240404) built on RHEL7. So the versions are:

repo.linuxfabrik.ch

• debian 10 buster: 5.2.4
• debian 11 bullseye: 5.2.5
• debian 12 bookworm: 5.4.1
• rhel 7: 5.2.2
• rhel 8: 5.2.4
• rhel 9: 5.2.5
• ubuntu 18.04 bionic: 5.2.2
• ubuntu 20.04 focal: 5.2.4
• ubuntu 22.04 jammy: 5.2.5

download.linuxfabrik.ch:

• tar: 5.2.2
• zip: 5.2.2

See also our Blog-Post https://www.linuxfabrik.ch/en/blog/linuxfabrik-monitoring-plugins-liblzma (same content).