From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by sourceware.org (Postfix) with ESMTPS id EEDBD3858C42 for ; Sat, 30 Mar 2024 08:08:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EEDBD3858C42 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSW.ab.ca Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=SystematicSW.ab.ca ARC-Filter: OpenARC Filter v1.0.0 sourceware.org EEDBD3858C42 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=216.40.44.10 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711786119; cv=none; b=YKT0VRlnHWgnhN8XGKQP4A8VInM05xdMdJfS7ndGOIqNiErkdLFCcGb+QRXo83y/ieydqO9odnEj1yeypgunvVtiWOpPy7F0UF5PUJMY5DvQqrPddm4qXGFpaofAWovQIDXcPvJIBi8XmzKZoaT3WFz8Zg6xWXIWDDtg839epHw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711786119; c=relaxed/simple; bh=czoXwV0z5QJgfm0pJLbxxZeKY6yg3InWVeAqzUpLf7g=; h=Message-ID:Date:MIME-Version:Subject:To:From; b=lSDyb8kDoq/INupQgES/WQ5LVJMftKGXbLkeTmgPVKeBU83h4I4bHByOE2+SFaOY0WpJWXI0ZsT4Qs9LHSFYLM+4CdSaNsfgDGK8Zca0sUVco9vmnVHlo7mP0MrmKTniYgqvsPzTT33w8l078qrAiaK14Bc/Jb7QxPYZDxmKE2A= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from omf09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 4A8C1141182 for ; Sat, 30 Mar 2024 08:08:37 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: Brian.Inglis@SystematicSW.ab.ca) by omf09.hostedemail.com (Postfix) with ESMTPA id D9EB120028 for ; Sat, 30 Mar 2024 08:08:34 +0000 (UTC) Message-ID: Date: Sat, 30 Mar 2024 02:08:33 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Reply-To: cygwin-apps@cygwin.com Subject: Re: xz upstream backdoor compromise (was: Cygwin: Linux xz issue) Content-Language: en-CA To: Cygwin Apps References: From: Brian Inglis Organization: Systematic Software In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D9EB120028 X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPAM_BODY,SPF_HELO_PASS,SPF_PASS,TXREP,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Stat-Signature: kdqs3pkxggpu7w68qtn15keordhh9pyt X-Rspamd-Server: rspamout04 X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361 X-Session-ID: U2FsdGVkX1/5KbehVG0v3Qpzqoq3g7FFJg+XGl7wGNk= X-HE-Tag: 1711786114-879985 X-HE-Meta: U2FsdGVkX1/4rnPUmtvGu2g+AnGxmiDzWZVa8L0K0+t1+8Vjk+P3pKBdS8rwCPvFIsl20Hb/rmjmdSPPRLHfpPsIQFPKj5N32r+NjegTyJtYb0J+qw3CBkFWOytzyjIC6j+Uw2kOj6ARRLXJH2DILtYMitN0Zogx11QJwkd2CA1jYkSX6JOKIqFO4+tIRMz9ks0ciJwrTlkuBsuf3/DQ6N85FElp0HdAKlymjee7lN2e3VHApqZ3awVzBDO1j/pLFyQSqfe/RJ9ZvGIIalgH01POrAjRO9pN3mYIhqMFVElVxJa8Eq3VdAKcRfxLHRMGojWXGV4xAdMQjtHLz5YRQFlmkw4OaDbJMI9PN6gdIH/GsV6sihje05ZN2Q0Rt23o3+e/aEWHqO0sRinZNyb4FR57Dfpbjxqez2YY8nmEBfzz+wyextNm1fpvt/zqbxwzUGRa3HJWz2Aq3E2CIaQD0vp8KxoFcVzTrLzPK/ViTB6YajMlR8stF7zbiiMgMcQ1XHCvQaleIi70l2QDUXNreQAaS/JzvoCoCpXxka6lGXTNR/SsP7x8Sx/41dg6u/+SJ8Kk5DzBy+Sj/oTRjr16P0oHboXT5sv7 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2024-03-29 16:43, Ron Murray via Cygwin wrote: > There is a serious security issue with xz (and liblzma) versions 5.6.0-1 and > 5.6.1-1. I note that cywin currently is suggesting an upgrade to 5.6.1-1, which > is unsafe. I've looked at the cygwin archives and I don't see a reference to > this: sorry if you're already aware of this issue. > > References: > https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 > https://access.redhat.com/security/cve/CVE-2024-3094 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 > https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-backdoor-in-xz-utils/ https://seclists.org/oss-sec/2024/q1/268 -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry