Vulnerable xz Package in current Pacman Mirror List

[cdestefano]

A know backdoor was put into xz on versions of 5.6.0 and 5.6.1. I think I tracked it back to the right repo as the mirror list is pulling latest. The same site bytemark.co.uk has the updated version of 03-29-2024 at the time of opening this issue which should include 5.6.1-2. All versions of the image during the range of 02-24-2024 and 03-28-2024 are affected.

I confirmed from downstream privoxy-vpn that pacman -Q --info xz returns 5.6.1-1.

While right now archlinux isn't noted as impacted due to ssh implementation but ArchLinux is recommending updating immediately.

CVE-2024-3094 :
NIST
Red Hat

Sources:
ArchLinux
Upstream Report

[binhex]

Thanks, i am currently performing a rebuild of the base image which i will check once done, if it looks ok then i will kick off all downstream builds.

[shanelord01]

Thanks, i am currently performing a rebuild of the base image which i will check once done, if it looks ok then i will kick off all downstream builds.

Awesome - thanks for that. Can I provide an update to the unRAID forums that are calling this out?
https://forums.unraid.net/topic/159952-mar-29-2024-xzliblzma-potential-compromise/

[binhex]

The base image has been rebuilt and most of the subsequent images have also been rebuilt, the reason not all have rebuilt is due to an srm64 unrelated issue, sadly I ran out of time as I'm on holiday now, but I shall take another look at this and finish off the build of the other images.

Please do keep in mind the risk here is next to zero, systemd is non operational, openssh is not installed in any of my images and arch was not susceptible to the attack.