search

rdbo / sigma-linux

Sigma Linux - Σlite Operating System
GNU Affero General Public License v3.0
64 stars 7 forks source link

Vuln: update/replace/remove XZ #8

Closed rdbo closed 6 days ago

rdbo commented 3 months ago

Allegedly, alpine linux is not vulnerable to the XZ exploits introduced in maintream XZ. But I wouldn't put my money on it, the guy who introduced the exploit has been developing XZ for 2 years To counter this, Sigma Linux should upgrade the XZ packages (maybe remove?), and also use something else for compressing modules and firmware, like ZSTD (which has compression ratios close to XZ, but should be much faster for decompression, and no crazy security issues like this).

rdbo commented 6 days ago

I guess this should be fine now? Closing for the time being.