Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix xz submodule url: the GitHub mirror was banned due to CVE-2024-3094 #8304

Merged
merged 1 commit into from
Apr 8, 2024
Merged

Fix xz submodule url: the GitHub mirror was banned due to CVE-2024-3094 #8304

merged 1 commit into from
Apr 8, 2024

Conversation

SweetVishnya
Copy link
Contributor

The current xz version is 5.4.4 which is not affected by CVE-2024-3094

@SweetVishnya SweetVishnya requested review from a team as code owners April 2, 2024 07:57
@SweetVishnya
Fix xz submodule url: the GitHub mirror was banned due to CVE-2024-3094
95a2577 
The current xz version is 5.4.4 which is not affected by CVE-2024-3094
@SweetVishnya
Copy link
Contributor Author

@directionless, I fixed xz submodule url that was banned on GitHub due to recent CVE.

directionless
directionless approved these changes Apr 2, 2024
View reviewed changes
Copy link
Member

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is okay. (I think the old code was okay too, but that repo is gone now)

IIRC we moved to github because tukaani.org was having outages.

@SweetVishnya
Copy link
Contributor Author

@Smjert, can we merge it to fix build?

@Smjert Smjert merged commit 399bc10 into osquery:master Apr 8, 2024
13 of 16 checks passed
@Smjert
Copy link
Member

Smjert commented Apr 8, 2024
edited

NOTE: I merged in spite of the failure since it was unrelated (the macOS step failing due to failing to install python dependencies we need).
I'm fixing the issue on a separate PR, but needed to merge this or mine because otherwise there was a "deadlock".

@Smjert Smjert added the libraries For things referring to osquery third party libraries label Apr 8, 2024
@lszcs90
Copy link

lszcs90 commented Apr 23, 2024

Hello,

It will be soon a new release with this fix included?
If I'm not wrong, current tags cannot be used for (checkout&)builds, because of the mirror ban.

@directionless
Copy link
Member

We discussed this briefly in office hours today.

First, we were wondering if building master was adequet, or if you needed a release specifically.

Second, we observed that https://github.com/tukaani-project/xz is back

@lszcs90
Copy link

lszcs90 commented Apr 24, 2024
edited

Hello,

Thank you for the reply.

Second, we observed that https://github.com/tukaani-project/xz is back

Thanks, in this case my question it is not relevant anymore, builds from any (recent) tag should work, we don't need to include/cherry pick this commit.

@securitym0nkey securitym0nkey mentioned this pull request Jun 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless approved these changes

Assignees
No one assigned
Labels
libraries For things referring to osquery third party libraries
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@SweetVishnya @Smjert @lszcs90 @directionless