* Re: xz upstream backdoor compromise (was: Cygwin: Linux xz issue)
[not found] <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
@ 2024-03-30 8:08 ` Brian Inglis
0 siblings, 0 replies; only message in thread
From: Brian Inglis @ 2024-03-30 8:08 UTC (permalink / raw)
To: Cygwin Apps
On 2024-03-29 16:43, Ron Murray via Cygwin wrote:
> There is a serious security issue with xz (and liblzma) versions 5.6.0-1 and
> 5.6.1-1. I note that cywin currently is suggesting an upgrade to 5.6.1-1, which
> is unsafe. I've looked at the cygwin archives and I don't see a reference to
> this: sorry if you're already aware of this issue.
>
> References:
> https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
> https://access.redhat.com/security/cve/CVE-2024-3094
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
> https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/
https://seclists.org/oss-sec/2024/q1/268
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-03-30 8:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <em9acc6e7a-921f-4922-a5dd-77cc63657601@fece094b.com>
2024-03-30 8:08 ` xz upstream backdoor compromise (was: Cygwin: Linux xz issue) Brian Inglis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).