search

clearlinux / clr-bundles

Bundle definitions for Clear Linux OS
112 stars 54 forks source link

xz-utils compromised >= 5.6.0 #255

Closed Pamalosebi closed 3 months ago

Pamalosebi commented 3 months ago

As it seems, was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...

For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094

fenrus75 commented 3 months ago

41370 is rolling out already with this done

also we got lucky, our sshd did not link to liblzma ;)

there will be a 380 later today/early tomorrow that has xz usage removed from as many places of the OS as possible since most of those were optional stuffs and.. our patience with that just ended today,.

On Fri, Mar 29, 2024 at 3:36 PM Pamalosebi @.***> wrote:

As it seems was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...

For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094

— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FJMW2IFRWJ4R2CXJKLY2XNGDAVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTMMBVHA3TANA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

fenrus75 commented 3 months ago

(if you cannot wait for the rollout, "swupd update --format staging" gets you to that release instantly)

On Fri, Mar 29, 2024 at 3:44 PM Arjan van de Ven @.***> wrote:

41370 is rolling out already with this done

also we got lucky, our sshd did not link to liblzma ;)

there will be a 380 later today/early tomorrow that has xz usage removed from as many places of the OS as possible since most of those were optional stuffs and.. our patience with that just ended today,.

On Fri, Mar 29, 2024 at 3:36 PM Pamalosebi @.***> wrote:

As it seems was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...

For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094

— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FJMW2IFRWJ4R2CXJKLY2XNGDAVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTMMBVHA3TANA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Pamalosebi commented 3 months ago

Thank you so much! Awesome 😊

fenrus75 commented 3 months ago

(the 370 build rollout has reached my machines -- it might have reached yours as well by now)

On Fri, Mar 29, 2024 at 3:47 PM Pamalosebi @.***> wrote:

Thank you so much! Awesome 😊

— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255#issuecomment-2027800837, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FNSYUTBACTPN7TUDA3Y2XON5AVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRXHAYDAOBTG4 . You are receiving this because you commented.Message ID: @.***>

Pamalosebi commented 3 months ago

Yes! You guys are so good 🙌

$ cat /etc/os-release 
NAME="Clear Linux OS"
VERSION=1
ID=clear-linux-os
ID_LIKE=clear-linux-os
VERSION_ID=41370
PRETTY_NAME="Clear Linux OS"
ANSI_COLOR="1;35"
HOME_URL="https://clearlinux.org"
SUPPORT_URL="https://clearlinux.org"
BUG_REPORT_URL="mailto:dev@lists.clearlinux.org"
PRIVACY_POLICY_URL="http://www.intel.com/privacy"
BUILD_ID=41370
$ xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6

All my machines are on 41370.