Closed Pamalosebi closed 3 months ago
41370 is rolling out already with this done
also we got lucky, our sshd did not link to liblzma ;)
there will be a 380 later today/early tomorrow that has xz usage removed from as many places of the OS as possible since most of those were optional stuffs and.. our patience with that just ended today,.
On Fri, Mar 29, 2024 at 3:36 PM Pamalosebi @.***> wrote:
As it seems was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...
For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094
— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FJMW2IFRWJ4R2CXJKLY2XNGDAVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTMMBVHA3TANA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
(if you cannot wait for the rollout, "swupd update --format staging" gets you to that release instantly)
On Fri, Mar 29, 2024 at 3:44 PM Arjan van de Ven @.***> wrote:
41370 is rolling out already with this done
also we got lucky, our sshd did not link to liblzma ;)
there will be a 380 later today/early tomorrow that has xz usage removed from as many places of the OS as possible since most of those were optional stuffs and.. our patience with that just ended today,.
On Fri, Mar 29, 2024 at 3:36 PM Pamalosebi @.***> wrote:
As it seems was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...
For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094
— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FJMW2IFRWJ4R2CXJKLY2XNGDAVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIYTMMBVHA3TANA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Thank you so much! Awesome 😊
(the 370 build rollout has reached my machines -- it might have reached yours as well by now)
On Fri, Mar 29, 2024 at 3:47 PM Pamalosebi @.***> wrote:
Thank you so much! Awesome 😊
— Reply to this email directly, view it on GitHub https://github.com/clearlinux/clr-bundles/issues/255#issuecomment-2027800837, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FNSYUTBACTPN7TUDA3Y2XON5AVCNFSM6AAAAABFPAA3ESVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRXHAYDAOBTG4 . You are receiving this because you commented.Message ID: @.***>
Yes! You guys are so good 🙌
$ cat /etc/os-release
NAME="Clear Linux OS"
VERSION=1
ID=clear-linux-os
ID_LIKE=clear-linux-os
VERSION_ID=41370
PRETTY_NAME="Clear Linux OS"
ANSI_COLOR="1;35"
HOME_URL="https://clearlinux.org"
SUPPORT_URL="https://clearlinux.org"
BUG_REPORT_URL="mailto:dev@lists.clearlinux.org"
PRIVACY_POLICY_URL="http://www.intel.com/privacy"
BUILD_ID=41370
$ xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6
All my machines are on 41370.
As it seems, was the xz-utils compromised. Please downgrade them to somewhere pre 5.6.0...
For reference: https://access.redhat.com/security/cve/CVE-2024-3094#cve-cvss-v3 https://www.openwall.com/lists/oss-security/2024/03/29/4 https://nvd.nist.gov/vuln/detail/CVE-2024-3094