• [SECURITY] [DSA 5649-1] xz-utils security update

    From Salvatore Bonaccorso@21:1/5 to All on Fri Mar 29 17:20:01 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5649-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso
    March 29, 2024 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : xz-utils
    CVE ID : CVE-2024-3094

    Andres Freund discovered that the upstream source tarballs for xz-utils,
    the XZ-format compression utilities, are compromised and inject
    malicious code, at build time, into the resulting liblzma5 library.

    Right now no Debian stable versions are known to be affected.
    Compromised packages were part of the Debian testing, unstable and
    experimental distributions, with versions ranging from 5.5.1alpha-0.1
    (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has
    been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1.

    Users running Debian testing and unstable are urged to update the
    xz-utils packages.

    For the detailed security status of xz-utils please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/xz-utils

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYG4XBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QBZg/9HMXAGIvBC12v8PSnp6EjnagxXBjTqLIJzEwQFgmC1cS58Kmv214c3fD+ rxHEfqQxcgjVSWPbIgI5ZXf1XZtx1YiMGRd9aEvKQSwLu0ox0/UR5igZakLrZb+n t1qvH8AGYQhK41ysFJVwNulUXqqopvGEPgwopLfGPn8P3zjOrs0BoLqYmQ0nbsv3 92l9rAYk6W7G+L3Gwp/cQVzqmyErlEk/QB3Ld+6HLP7a8shY+A8a7iVHE1vkzNjw JeZ2shIrvkCJqb1/BVSJU92fy2P4xjiMY8phDum7dzWnyy0WZLa90B/tDF9WB7Ok nuUa020yxjflnabSM112We1V8D5sh18X30NK8scXiCD5cbPEysGqaUf8Baik9qux Wkn60oqLKFN0VdrUxeqyLp1AC7wEiysQaNqv/8ZqhYF3/KxrbzgBOVy9XeB3pEfk oLLPtUeH3kuXGw2Qp+Kqg3Zlfe04XZZX5kme/7PFkBvjZ8JFH7dWW+eEO9MbnsPD br0tWxod0jhvLdZ6YLFad6q2jkjqO3LH3+SYAhp+otcY1TNpIe7xWAB+Phj0TJqu IoSnYutqEb4mwoUzn9vZRzOxLvyePEJwbFG89sQf4GCYm4FwDhyB51Eo5piC7Fre EtfsmdU7xAl6tljtUkzTHz27dBIokrgw4W0YrYaeUSmm3jKttPA=
    =522l
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)