You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A know backdoor was put into xz on versions of 5.6.0 and 5.6.1. I think I tracked it back to the right repo as the mirror list is pulling latest. The same site bytemark.co.uk has the updated version of 03-29-2024 at the time of opening this issue which should include 5.6.1-2. All versions of the image during the range of 02-24-2024 and 03-28-2024 are affected.
I confirmed from downstream privoxy-vpn that pacman -Q --info xz returns 5.6.1-1.
While right now archlinux isn't noted as impacted due to ssh implementation but ArchLinux is recommending updating immediately.
The base image has been rebuilt and most of the subsequent images have also been rebuilt, the reason not all have rebuilt is due to an srm64 unrelated issue, sadly I ran out of time as I'm on holiday now, but I shall take another look at this and finish off the build of the other images.
Please do keep in mind the risk here is next to zero, systemd is non operational, openssh is not installed in any of my images and arch was not susceptible to the attack.
A know backdoor was put into
xz
on versions of 5.6.0 and 5.6.1. I think I tracked it back to the right repo as the mirror list is pulling latest. The same site bytemark.co.uk has the updated version of 03-29-2024 at the time of opening this issue which should include5.6.1-2
. All versions of the image during the range of 02-24-2024 and 03-28-2024 are affected.I confirmed from downstream privoxy-vpn that
pacman -Q --info xz
returns 5.6.1-1.While right now archlinux isn't noted as impacted due to ssh implementation but ArchLinux is recommending updating immediately.
CVE-2024-3094 :
NIST
Red Hat
Sources:
ArchLinux
Upstream Report
The text was updated successfully, but these errors were encountered: